12:34 a.m.
Hello,
I have a multi-tenant [multiple DITs] LDAP directory setup.
One of things that I need to be able to do, is to retrieve records
from individual domain [DIT] -level databases using "superuser"
credentials.
I am able to do what I need using Unix sockets, as in:
$sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com
I want to use network credentials and network library to retrieve my
information. I am currently able to do this using DIT -level
credentials.
If I set salt the config password, is there something that would
fundamentally prevent the below from working?
$ldapsearch -D cn=config -h IPADRRESS -W -b dc=example,dc=com
Suggestions?
Sincerely,
Igor Shmukler
2:26 a.m.
Igor Shmukler wrote:
I have a multi-tenant [multiple DITs] LDAP directory setup.
One of things that I need to be able to do, is to retrieve records
from individual domain [DIT] -level databases using "superuser"
credentials.
You should start to read about access control:
slapd.access(5)
http://www.openldap.org/doc/admin24/access-control.html
http://www.openldap.org/faq/data/cache/189.html
Don't claim to have a multi-tenant service before you really understood all of
the above.
Ciao, Michael.
7:05 a.m.
Hello Michael,
Thank you for reading my email and replying to the thread.
I don't believe that you answered my question. I was probably unclear.
Sorry. I will rephrase, as I am still looking for information.
Is there a reason why I should not be able to, or just should not, do the below:
1. change my OpenLDAP server configuration so cn=config can be
successfully authenticated using password.
2. retrieve records from non-config database[s] [over network, for
example giving ldapsearch -D cn=config -W]
Sincerely,
Igor Shmukler
On Mon, Mar 2, 2015 at 12:26 PM, Michael Ströder <michael(a)stroeder.com> wrote:
Igor Shmukler wrote:
> I have a multi-tenant [multiple DITs] LDAP directory setup.
> One of things that I need to be able to do, is to retrieve records
> from individual domain [DIT] -level databases using "superuser"
> credentials.
You should start to read about access control:
slapd.access(5)
http://www.openldap.org/doc/admin24/access-control.html
http://www.openldap.org/faq/data/cache/189.html
Don't claim to have a multi-tenant service before you really understood all of
the above.
Ciao, Michael.
7:14 a.m.
Igor Shmukler wrote:
Hello Michael,
Thank you for reading my email and replying to the thread.
I don't believe that you answered my question. I was probably unclear.
Sorry. I will rephrase, as I am still looking for information.
Is there a reason why I should not be able to, or just should not, do the below:
1. change my OpenLDAP server configuration so cn=config can be
successfully authenticated using password.
2. retrieve records from non-config database[s] [over network, for
example giving ldapsearch -D cn=config -W]
AFAICS it's all possible. Basically the client authenticates, maybe the
authc-DN is mapped to an authz-DN depending on the authc mech used, and then
the client is authorized to access different parts of your whole LDAP data.
But you have to dive into those docs I pointed out.
On Mon, Mar 2, 2015 at 12:26 PM, Michael Ströder
<michael(a)stroeder.com> wrote:
> You should start to read about access control:
>
> slapd.access(5)
>
> http://www.openldap.org/doc/admin24/access-control.html
>
> http://www.openldap.org/faq/data/cache/189.html
>
> Don't claim to have a multi-tenant service before you really understood all of
> the above.
Ciao, Michael.
2942
days inactive
2942
days old
openldap-technical@openldap.org
3 comments
2 participants
participants (2)
-
Igor Shmukler -
Michael Ströder