-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi, all
I'm writing a little script to allow some people to manage LDAP users, as a CRUD. I created a user uid=crud,ou=Applications,dc=domain,dc=org and I need to allow this user to add, modify and delete users that only belongs to ou=FTPUsers,dc=domain,dc=org.
I wrote this ACL in slapd.conf:
access to dn.subtree="ou=FTPUsers,dc=domain,dc=org" by dn.exact="cn=Admin,dc=domain,dc=org" write by dn.exact="uid=crud,ou=Applications,dc=domain,dc=org" write by self write by * read
Testing ACL, I had:
[root@svr2021 openldap2.4]# slapacl2.4 -f /etc/openldap2.4/slapd.conf -b "uid=crud,ou=Applications,dc=domain,dc=org" -D "uid=ftppinguim,ou=FTPUsers,dc=domain,dc=org" "uid/write:" authcDN: "uid=ftppinguim,ou=ftpusers,dc=domain,dc=org" write access to uid=: DENIED
So, the ACL is not working. If I ask to uid/read:, I have access allowed.
Later I changed my ACL to dn.children, but the result was the same.
I'm using LDAP 2.4 and I would like to know if somebody already did the same configuration or has tips or docs to read.
Thanks a lot
.0. MrBiTs - mrbits.dcf@gmail.com ..0 GnuPG - http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6EC818FC2B3CA5AB 000 http://www.mrbits.com.br
On 07/07/2010 03:31 PM, MrBiTs wrote:
Hi, all
I'm writing a little script to allow some people to manage LDAP users, as a CRUD. I created a user uid=crud,ou=Applications,dc=domain,dc=org and I need to allow this user to add, modify and delete users that only belongs to ou=FTPUsers,dc=domain,dc=org.
I wrote this ACL in slapd.conf:
access to dn.subtree="ou=FTPUsers,dc=domain,dc=org" by dn.exact="cn=Admin,dc=domain,dc=org" write by dn.exact="uid=crud,ou=Applications,dc=domain,dc=org" write by self write by * read
Testing ACL, I had:
[root@svr2021 openldap2.4]# slapacl2.4 -f /etc/openldap2.4/slapd.conf -b "uid=crud,ou=Applications,dc=domain,dc=org" -D "uid=ftppinguim,ou=FTPUsers,dc=domain,dc=org" "uid/write:" authcDN: "uid=ftppinguim,ou=ftpusers,dc=domain,dc=org" write access to uid=: DENIED
So, the ACL is not working. If I ask to uid/read:, I have access allowed.
Later I changed my ACL to dn.children, but the result was the same.
I'm using LDAP 2.4 and I would like to know if somebody already did the same configuration or has tips or docs to read.
Thanks a lot
.0. MrBiTs - mrbits.dcf@gmail.com ..0 GnuPG - http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6EC818FC2B3CA5AB 000 http://www.mrbits.com.br
Couldn't it be because you disallow access preceding this particular ACL? ACLs are read rule-by-rule thus they're are position dependent in slapd.conf I also don't use 'exact' but just 'dn'. If that's (some sort of) a mistake, please, feel free to correct me :)
Regards, Zdenek
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Couldn't it be because you disallow access preceding this particular ACL? ACLs are read rule-by-rule thus they're are position dependent in slapd.conf I also don't use 'exact' but just 'dn'. If that's (some sort of) a mistake, please, feel free to correct me :)
Hi, Zdenek
Thanks for the reply. Makes sense, and it was my bad not to post all my rules.
So, my slapd.conf is like that:
access to attrs=userPassword,shadowLastChange by anonymous auth by dn.exact="cn=Admin,dc=domain,dc=org" write by self read by self write by * read
access to dn.subtree="ou=FTPUsers,dc=domain,dc=org" by dn.exact="cn=Admin,dc=domain,dc=org" write by dn.exact="uid=crud,ou=Applications,dc=domain,dc=org" write by self write by * read
access to * by dn.exact="cn=Admin,dc=domain,dc=org" write by self write by * read
Do you (or somebody) thinks that that by * read before FTPUsers rule can "kill" the uid=crud write ACL ?
I never used just 'dn', but I don't think this is an error. I will test some rule orders and dn without exact as soon as I finish the meeting I am in and I'll post my results.
CheerS
- --
.0. MrBiTs - mrbits.dcf@gmail.com ..0 GnuPG - http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6EC818FC2B3CA5AB 000 http://www.mrbits.com.br
Hi, all
I'm writing a little script to allow some people to manage LDAP users, as a CRUD. I created a user uid=crud,ou=Applications,dc=domain,dc=org and I need to allow this user to add, modify and delete users that only belongs to ou=FTPUsers,dc=domain,dc=org.
I wrote this ACL in slapd.conf:
access to dn.subtree="ou=FTPUsers,dc=domain,dc=org" by dn.exact="cn=Admin,dc=domain,dc=org" write by dn.exact="uid=crud,ou=Applications,dc=domain,dc=org" write by self write by * read
Testing ACL, I had:
[root@svr2021 openldap2.4]# slapacl2.4 -f /etc/openldap2.4/slapd.conf -b "uid=crud,ou=Applications,dc=domain,dc=org" -D "uid=ftppinguim,ou=FTPUsers,dc=domain,dc=org" "uid/write:" authcDN: "uid=ftppinguim,ou=ftpusers,dc=domain,dc=org" write access to uid=: DENIED
So, the ACL is not working. If I ask to uid/read:, I have access allowed.
Later I changed my ACL to dn.children, but the result was the same.
I'm using LDAP 2.4 and I would like to know if somebody already did the same configuration or has tips or docs to read.
Thanks a lot
I believe you've simply switched your '-b' (searchbase) and '-D' (binddn). Should be:
-D uid=crud,ou=Applications,dc=domain,dc=org -b uid=ftppinguim,ou=FTPUsers,dc=domain,dc=org
Joe _________________________________________________________________ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:W...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I believe you've simply switched your '-b' (searchbase) and '-D' (binddn). Should be:
-D uid=crud,ou=Applications,dc=domain,dc=org -b uid=ftppinguim,ou=FTPUsers,dc=domain,dc=org
Hi Joe
You are absolutelly right !
[root@svr2021 ~]# slapacl2.4 -f /etc/openldap2.4/slapd.conf -D "uid=crud,ou=Applications,dc=domain,dc=org" -b "uid=ftppinguim,ou=FTPUsers,dc=domain,dc=org" "uid/write:" authcDN: "uid=crud,ou=applications,dc=domain,dc=org" write access to uid=: ALLOWED
Let me check if I'm able to change user attributes.
- --
Um abraço
.0. MrBiTs - mrbits.dcf@gmail.com ..0 GnuPG - http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6EC818FC2B3CA5AB 000 http://www.mrbits.com.br
openldap-technical@openldap.org
-
Joe Friedeggs -
MrBiTs -
Zdenek Styblik