Hello,
I have a multi-tenant [multiple DITs] LDAP directory setup. One of things that I need to be able to do, is to retrieve records from individual domain [DIT] -level databases using "superuser" credentials.
I am able to do what I need using Unix sockets, as in: $sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com
I want to use network credentials and network library to retrieve my information. I am currently able to do this using DIT -level credentials.
If I set salt the config password, is there something that would fundamentally prevent the below from working? $ldapsearch -D cn=config -h IPADRRESS -W -b dc=example,dc=com
Suggestions?
Sincerely,
Igor Shmukler
Igor Shmukler wrote:
I have a multi-tenant [multiple DITs] LDAP directory setup. One of things that I need to be able to do, is to retrieve records from individual domain [DIT] -level databases using "superuser" credentials.
You should start to read about access control:
slapd.access(5)
http://www.openldap.org/doc/admin24/access-control.html
http://www.openldap.org/faq/data/cache/189.html
Don't claim to have a multi-tenant service before you really understood all of the above.
Ciao, Michael.
Hello Michael,
Thank you for reading my email and replying to the thread.
I don't believe that you answered my question. I was probably unclear. Sorry. I will rephrase, as I am still looking for information.
Is there a reason why I should not be able to, or just should not, do the below: 1. change my OpenLDAP server configuration so cn=config can be successfully authenticated using password. 2. retrieve records from non-config database[s] [over network, for example giving ldapsearch -D cn=config -W]
Sincerely,
Igor Shmukler
On Mon, Mar 2, 2015 at 12:26 PM, Michael Ströder michael@stroeder.com wrote:
Igor Shmukler wrote:
I have a multi-tenant [multiple DITs] LDAP directory setup. One of things that I need to be able to do, is to retrieve records from individual domain [DIT] -level databases using "superuser" credentials.
You should start to read about access control:
slapd.access(5)
http://www.openldap.org/doc/admin24/access-control.html
http://www.openldap.org/faq/data/cache/189.html
Don't claim to have a multi-tenant service before you really understood all of the above.
Ciao, Michael.
Igor Shmukler wrote:
Hello Michael,
Thank you for reading my email and replying to the thread.
I don't believe that you answered my question. I was probably unclear. Sorry. I will rephrase, as I am still looking for information.
Is there a reason why I should not be able to, or just should not, do the below:
- change my OpenLDAP server configuration so cn=config can be
successfully authenticated using password. 2. retrieve records from non-config database[s] [over network, for example giving ldapsearch -D cn=config -W]
AFAICS it's all possible. Basically the client authenticates, maybe the authc-DN is mapped to an authz-DN depending on the authc mech used, and then the client is authorized to access different parts of your whole LDAP data.
But you have to dive into those docs I pointed out.
On Mon, Mar 2, 2015 at 12:26 PM, Michael Ströder michael@stroeder.com wrote:
You should start to read about access control:
slapd.access(5)
http://www.openldap.org/doc/admin24/access-control.html
http://www.openldap.org/faq/data/cache/189.html
Don't claim to have a multi-tenant service before you really understood all of the above.
Ciao, Michael.
openldap-technical@openldap.org
-
Igor Shmukler -
Michael Ströder