I have a very simple config that I can show with
ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config olcDatabase=*
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {-1}frontend
olcAccess: {0} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0} to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
l,cn=auth" manage
olcAccess: {1} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbDirectory: /data/openldap
olcRootDN: cn=Manager,dc=local,dc=bob,dc=com
olcSuffix: dc=local,dc=bob,dc=com
olcRootPW: {SSHA}3E+8/IcRHHTNez5QXlyRMP6mCZODN3LE
olcAccess: {0} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage
With this config,.shouldn't this work as well
ldapsearch -x -W -D cn=Manager,dc=local,dc=bob,dc=com -b cn=config olcDatabase=*
My other question is where is there a reference to exactly what "gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" means. I can't seem to find one.
Thanks Nick
On Mon, Sep 11, 2017 at 04:18:20PM -0500, Nick Gray wrote:
With this config,.shouldn't this work as well
ldapsearch -x -W -D cn=Manager,dc=local,dc=bob,dc=com -b cn=config olcDatabase=*
The rules on your config database are:
olcAccess: {0} to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage olcAccess: {1} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage
The first matches everything (*), so the second is never consulted.
My other question is where is there a reference to exactly what "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" means. I can't seem to find one.
http://www.openldap.org/doc/admin24/sasl.html#IPC%20(ldapi%3A%2F%2F%2F)%20Id...
I read the man page, but I guess I understood that the first rule only matched everything as a far as "what" to access. I thought it went what, who, permissions
My intent was to enable both of these to work.
Access to all dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage and access to all dn.base=" cn=Manager,dc=local,dc=bob,dc=com" to manage as well
The first one I am using, I guess as intended from the command line, and the second I would use from the command line as well, in a tool, etc.
What would that ruleset look like?
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Ryan Tandy Sent: Tuesday, September 12, 2017 2:39 PM To: Nick Gray nick@graysaustin.com Cc: openldap-technical@openldap.org Subject: Re: I can't seem to find the answer to these olcAccess questions
On Mon, Sep 11, 2017 at 04:18:20PM -0500, Nick Gray wrote:
With this config,.shouldn't this work as well
ldapsearch -x -W -D cn=Manager,dc=local,dc=bob,dc=com -b cn=config olcDatabase=*
The rules on your config database are:
olcAccess: {0} to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage olcAccess: {1} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage
The first matches everything (*), so the second is never consulted.
My other question is where is there a reference to exactly what "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" means. I can't seem to find one.
http://www.openldap.org/doc/admin24/sasl.html#IPC%20(ldapi%3A%2F%2F%2F)%20Id entity%20Format
openldap-technical@openldap.org
-
Nick Gray -
Ryan Tandy