11:55 a.m.
On Tue, Jan 12, 2016 at 2:47 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
--On Tuesday, January 12, 2016 2:38 PM -0500 Katherine Faella
<kmf(a)uri.edu>
wrote:
Which is where I am having trouble. I believe that deleting the {0}
> element should keep the {1} and move it up to the correct position.
>
I do this extensively, and it works fine. What OpenLDAP release are you
on?
--Quanah
I was afraid you were going to ask that. We are running the Redhat 6
supported 2.4.40-7.el6_7. We have a policy here of sticking with the
redhat supported releases of packages since our staff is so small.
I really need to resolve this for an important project here. Of course the
project is behind schedule and I am left with little time to get my stuff
working. I was hoping my syntax was just incorrect. The only other way I
can image fixing this is to revert to slapd.conf ....
I guess the good news is that my steps and syntax look okay to you. If you
have any other thoughts I would happily accept them.
Thanks,
Kathy
--
Katherine Faella tel: (401) 874-4469
Senior Technical Programmer kmf(a)uri.edu
University of Rhode Island
University Computing Systems(UCS)
210 Flagg Road
Kingston, Rhode Island
12:07 p.m.
New subject: Removing olcAccess entry
--On Tuesday, January 12, 2016 2:55 PM -0500 Katherine Faella <kmf(a)uri.edu>
wrote:
Hi Kathy,
I was afraid you were going to ask that. We are running the Redhat
6
supported 2.4.40-7.el6_7. We have a policy here of sticking with the
redhat supported releases of packages since our staff is so small.
Extremely ill advised for a number of reasons. I'd suggest using the LTB
project software instead, since it actually links to secure TLS software.
2.4.40 had some serious bugs as well. You can set up the LTB software via
their YUM repository.
<http://ltb-project.org/wiki/download#openldap>
<http://ltb-project.org/wiki/documentation/openldap-rpm#yum_repository>
I really need to resolve this for an important project here. Of
course
the project is behind schedule and I am left with little time to get my
stuff working. I was hoping my syntax was just incorrect. The only
other way I can image fixing this is to revert to slapd.conf ....
I guess the good news is that my steps and syntax look okay to you. If
you have any other thoughts I would happily accept them.
Just tested, and can confirm it works correctly for me:
[zimbra@zre-ldap003 ~]$ ldapsearch -x -LLL -H ldapi:/// -D cn=config -w
8utM5cM7v0 -b "olcDatabase={2}mdb,cn=config" -s base olcAccess
dn: olcDatabase={2}mdb,cn=config
olcAccess: {0}to attrs=userPassword by anonymous auth by
dn.children="cn=adm
ins,cn=zimbra" write
olcAccess: {1}to dn.subtree="cn=zimbra" by
dn.children="cn=admins,cn=zimbra"
write
olcAccess: {2}to
attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zi
mbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,z
imbraIsAdminAccount,zimbraAuthLdapSearchBindPassword by
dn.children="cn=admi
ns,cn=zimbra" write by * none
olcAccess: {3}to attrs=objectclass by dn.children="cn=admins,cn=zimbra"
write
by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by
dn.base="uid=zmam
avis,cn=appaccts,cn=zimbra" read by users read by * none
olcAccess: {4}to attrs=@amavisAccount by dn.children="cn=admins,cn=zimbra"
wr
ite by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break
olcAccess: {5}to attrs=mail by dn.children="cn=admins,cn=zimbra" write by
dn
.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break
olcAccess: {6}to
attrs=zimbraAllowFromAddress,DKIMIdentity,DKIMSelector,DKIMDo
main,DKIMKey by dn.children="cn=admins,cn=zimbra" write by
dn.base="uid=zmp
ostfix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {7}to filter="(!(zimbraHideInGal=TRUE))"
attrs=cn,co,company,dc,di
splayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postal
Code,sn,st,street,streetAddress,telephoneNumber,title,uid,homePhone,pager,mob
ile,userCertificate by dn.children="cn=admins,cn=zimbra" write by
dn.base="
uid=zmpostfix,cn=appaccts,cn=zimbra" read by users read by * none
olcAccess: {8}to
attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCa
nonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,z
imbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwar
dingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,z
imbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliv
eryDisabled,member,memberURL,zimbraMemberOf by
dn.children="cn=admins,cn=zim
bra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by
dn.base
="uid=zmamavis,cn=appaccts,cn=zimbra" read by * none
olcAccess: {9}to dn.subtree="cn=groups,cn=zimbra"
attrs=zimbraMailAlias,member
,zimbraMailStatus,entry by dn.children="cn=admins,cn=zimbra" write by
dn.ba
se="uid=zmpostfix,cn=appaccts,cn=zimbra" read
olcAccess: {10}to attrs=entry by dn.children="cn=admins,cn=zimbra" write
by
* read
[zimbra@zre-ldap003 ~]$ cat /tmp/access-del.ldif
dn: olcDatabase={2}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
[zimbra@zre-ldap003 ~]$ ldapmodify -x -H ldapi:/// -D cn=config -w
8utM5cM7v0 -f /tmp/access-del.ldif
modifying entry "olcDatabase={2}mdb,cn=config"
[zimbra@zre-ldap003 ~]$
[zimbra@zre-ldap003 ~]$ ldapsearch -x -LLL -H ldapi:/// -D cn=config -w
8utM5cM7v0 -b "olcDatabase={2}mdb,cn=config" -s base olcAccess
dn: olcDatabase={2}mdb,cn=config
olcAccess: {0}to dn.subtree="cn=zimbra" by
dn.children="cn=admins,cn=zimbra"
write
olcAccess: {1}to
attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zi
mbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,z
imbraIsAdminAccount,zimbraAuthLdapSearchBindPassword by
dn.children="cn=admi
ns,cn=zimbra" write by * none
olcAccess: {2}to attrs=objectclass by dn.children="cn=admins,cn=zimbra"
write
by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by
dn.base="uid=zmam
avis,cn=appaccts,cn=zimbra" read by users read by * none
olcAccess: {3}to attrs=@amavisAccount by dn.children="cn=admins,cn=zimbra"
wr
ite by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break
olcAccess: {4}to attrs=mail by dn.children="cn=admins,cn=zimbra" write by
dn
.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break
olcAccess: {5}to
attrs=zimbraAllowFromAddress,DKIMIdentity,DKIMSelector,DKIMDo
main,DKIMKey by dn.children="cn=admins,cn=zimbra" write by
dn.base="uid=zmp
ostfix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {6}to filter="(!(zimbraHideInGal=TRUE))"
attrs=cn,co,company,dc,di
splayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postal
Code,sn,st,street,streetAddress,telephoneNumber,title,uid,homePhone,pager,mob
ile,userCertificate by dn.children="cn=admins,cn=zimbra" write by
dn.base="
uid=zmpostfix,cn=appaccts,cn=zimbra" read by users read by * none
olcAccess: {7}to
attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCa
nonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,z
imbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwar
dingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,z
imbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliv
eryDisabled,member,memberURL,zimbraMemberOf by
dn.children="cn=admins,cn=zim
bra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by
dn.base
="uid=zmamavis,cn=appaccts,cn=zimbra" read by * none
olcAccess: {8}to dn.subtree="cn=groups,cn=zimbra"
attrs=zimbraMailAlias,member
,zimbraMailStatus,entry by dn.children="cn=admins,cn=zimbra" write by
dn.ba
se="uid=zmpostfix,cn=appaccts,cn=zimbra" read
olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write
by *
read
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8:50 a.m.
New subject: Removing olcAccess entry
--On Tuesday, January 12, 2016 2:55 PM -0500 Katherine Faella <kmf(a)uri.edu>
wrote:
I was afraid you were going to ask that. We are running the Redhat
6
supported 2.4.40-7.el6_7. We have a policy here of sticking with the
redhat supported releases of packages since our staff is so small.
Unfortunately, that is a very flawed policy. In addition to 2.4.40 being a
problematic release, RedHat links OpenLDAP to insecure and buggy SSL
libraries (MozNSS). Thankfully, RH has dropped this approach for the
future, but folks are still stuck with it for now. Also, RedHat generally
will not truly offer you support on the OpenLDAP they ship. Issues that
arise by using their packages should be directed to RedHat support, but
good luck getting a resolution.
If you're unable to build and deploy OpenLDAP on your own, then you may be
interested in the LTB project packages, which are linked to OpenSSL and are
kept current. They provide both RHEL and Debian/Ubuntu repositories.
Finally, if you require support for your OpenLDAP deployment, then it's
generally best to run the Symas builds of OpenLDAP and have a support
contract with them.
As for the ACL issue in question here, I can confirm it works as designed
in my deployments.
Regards,
Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc
2674
days inactive
2694
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Katherine Faella -
Quanah Gibson-Mount