--On Tuesday, October 10, 2017 6:39 PM +0200 Ervin Hegedüs airween@gmail.com wrote:
binddn="uid=repuser,dc=my,dc=domain,dc=hu"
Anyway - how can I solve this problem?
Your uid=repuser,dc=my,dc=domain,dc=hu user does not have "read" access on the userPassword attribute.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hi Quanah,
thanks for your reply,
On Wed, Oct 11, 2017 at 06:44:01PM -0700, Quanah Gibson-Mount wrote:
--On Tuesday, October 10, 2017 6:39 PM +0200 Ervin Hegedüs airween@gmail.com wrote:
binddn="uid=repuser,dc=my,dc=domain,dc=hu"
Anyway - how can I solve this problem?
Your uid=repuser,dc=my,dc=domain,dc=hu user does not have "read" access on the userPassword attribute.
what would be the expected form of olcAccess structure?
Now I configured these lines:
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=my,dc=domain,dc=hu olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=my,dc=domain,dc=hu" read by * none olcAccess: {1}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" write by * auth olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by * read olcAccess: {4}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" write by * auth
but it doesn't work - the repuser can't read any part of db, only the self record. Eg.
ldapsearch -D "uid=repuser,dc=my,dc=domain,dc=hu" -W -b dc=my,dc=domain,dc=hu "(uid=abc_user1)" uid
gives
# search result search: 2 result: 0 Success
answer.
What did I make as wrong?
Thanks,
a.
Hi all,
On Thu, Oct 12, 2017 at 10:25:20AM +0200, Ervin Hegedüs wrote:
On Wed, Oct 11, 2017 at 06:44:01PM -0700, Quanah Gibson-Mount wrote:
Your uid=repuser,dc=my,dc=domain,dc=hu user does not have "read" access on the userPassword attribute.
what would be the expected form of olcAccess structure?
Now I configured these lines:
[...]
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=my,dc=domain,dc=hu" read by * none olcAccess: {1}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" write by * auth olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by * read olcAccess: {4}to dn.children="ou=ABC Customer,dc=my,dc=domain,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=my,dc=domain,dc=hu" write by * auth
sorry, looks like these are wrong, I've configured this state:
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=core,dc=hdt,dc=hu olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcLastMod: TRUE
and it works as well.
Now I have to set up the admin rights to users who member of special group (eg, groupabcadmins).
a.
openldap-technical@openldap.org
-
Ervin Hegedüs -
Quanah Gibson-Mount