Members of groups should be able to change user passwords. Can't find the error im mi Ldif file
Hi there,
I can't seem to find my error in my Ldif file. I have an openLDAP server and I'd like to change the config, that every member of the group sys_allow_pw_change is able to change the password of every user. It's been a while since I've last used openLDAP. I got the current ACLs using
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
cn=config '(olcDatabase={1}mdb)' olcAccess
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to * by * read
So I've created pwchange.ldif with the help of this serverfault post (https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-add-o...):
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword by self write by dn="cn=admin,dc=ldap,dc=example,dc=com" manage by dn="[cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com]/memberUid & user/uid" write by anonymous auth by * none - add: olcAccess olcAccess: {1}to attrs=shadowLastChange by self write by * read - add olcAccess olcAccess: {2}to * by * read
So I'm adding the group in question to olcAccess{0} and re adding all the current config. However:
ldapmodify -a -x -D "cn=admin,dc=ldap,dc=example,dc=com" -w Passw0rd! -H ldap:// -f pwchange.ldif
results in
ldapmodify: invalid format (line 9) entry: "olcDatabase={1}mdb,cn=config"
(Line 9 is by * none)
Thanks for any pointers!
--On Sunday, January 16, 2022 7:24 PM +0000 cupcake@domayn.ch wrote:
So I've created pwchange.ldif with the help of this serverfault post (https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-a dd-olcaccess-rules-to-openldap):
The post misses important points about how to do ACLs.
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess
Rather than a replace op, you can just delete and add ACL {0} directly, since you're not changing any of the other ACLs.
olcAccess: {0}to attrs=userPassword by self write by dn="cn=admin,dc=ldap,dc=example,dc=com" manage by dn="[cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com]/memberUi d & user/uid" write by anonymous auth
The above seems very wrong. Is sys_allow_pw_change an actual LDAP group (groupofNames, groupOfUniqueNames, or groupOfMembers)? If so, just standard group ACL format should work.
I.e., by dn.group="..." write
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks for your answer,
Rather than a replace op, you can just delete and add ACL {0} directly, since you're not changing any of the other ACLs.
So this means I can omit the entries for olcAccess: {1} and olcAccess: {2}? And for olcAccess: {0} I would first create a delete operation and after that readd it again? Why is that better than I replace if I may ask?
Is sys_allow_pw_change an actual LDAP group (groupofNames, groupOfUniqueNames, or groupOfMembers)
ObjectClass is posixGroup and members are saved in a memberUID field:
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com dn: cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com objectClass: posixGroup objectClass: top cn: sys_allow_pw_change memberUid: svc_ldap memberUid: cupcake gidNumber: 23923
Quanah Gibson-Mount <quanah@symas.com mailto:quanah@symas.com > hat am 17.01.2022 17:21 geschrieben:
--On Sunday, January 16, 2022 7:24 PM +0000 cupcake@domayn.ch mailto:cupcake@domayn.ch wrote:
So I've created pwchange.ldif with the help of this serverfault post (https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-a dd-olcaccess-rules-to-openldap):
The post misses important points about how to do ACLs.
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess
Rather than a replace op, you can just delete and add ACL {0} directly, since you're not changing any of the other ACLs.
olcAccess: {0}to attrs=userPassword by self write by dn="cn=admin,dc=ldap,dc=example,dc=com" manage by dn="[cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com]/memberUi d & user/uid" write by anonymous auth
The above seems very wrong. Is sys_allow_pw_change an actual LDAP group (groupofNames, groupOfUniqueNames, or groupOfMembers)? If so, just standard group ACL format should work.
I.e., by dn.group="..." write
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, January 17, 2022 5:52 PM +0100 cupcake@domayn.ch wrote:
Thanks for your answer,
Rather than a replace op, you can just delete and add ACL {0} directly, since you're not changing any of the other ACLs.
So this means I can omit the entries for olcAccess: {1} and olcAccess: {2}? And for olcAccess: {0} I would first create a delete operation and after that readd it again? Why is that better than I replace if I may ask?
Yes, you can use the weight in a delete op, like
ldapmodify ... dn: ... delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}access to ...
I would say it's better than replace for a few reasons. The largest being less likely of end user error (typos, etc).
You can also do the same sort of thing to insert ACLs, like
ldapmodify ... dn: .... add: olcAccess olcAccess: {1}access to ...
Would put a new ACL at {1} and increment all subsequent ACLs to preserve order.
Is sys_allow_pw_change an actual LDAP group (groupofNames, groupOfUniqueNames, or groupOfMembers)
ObjectClass is posixGroup and members are saved in a memberUID field:
Generally I'd advise using LDAP groups not *nix posixgroups for managing LDAP access.
I would also note that "memberUID" can be problematic if you end up with multiple entries with the same UID, an issue that DN based LDAP groups cannot encounter.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks for your feedback, much appreciated!
I'll try to change my groups to groupOfnames, Couldn't get it to work right now and it's already late here. If changed my Ldif file for my desired change to the following:
dn: olcDatabase={1}mdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to attrs=userPassword by self write by dn="cn=admin,dc=ldap,dc=example,dc=com" manage by anonymous auth by * none
And this works fine:
ldapmodify -H ldapi:// -Y EXTERNAL -f pwchange.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}mdb,cn=config"
However when adding the line from I got from server fault (dn="[cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com]/memberUi)
if fails:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}mdb,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcAccess> handler exited with 1
But this should be resolved, as soon as I've switched everything to LDAP groups. Could you please confirm that this guide is correct for enabling the groupOfNames? https://kifarunix.com/how-to-create-openldap-member-groups/ Thank you very much!
Quanah Gibson-Mount quanah@symas.com hat am 17.01.2022 18:06 geschrieben:
--On Monday, January 17, 2022 5:52 PM +0100 cupcake@domayn.ch wrote:
Thanks for your answer,
Rather than a replace op, you can just delete and add ACL {0} directly, since you're not changing any of the other ACLs.
So this means I can omit the entries for olcAccess: {1} and olcAccess: {2}? And for olcAccess: {0} I would first create a delete operation and after that readd it again? Why is that better than I replace if I may ask?
Yes, you can use the weight in a delete op, like
ldapmodify ... dn: ... delete: olcAccess olcAccess: {0}
add: olcAccess olcAccess: {0}access to ...
I would say it's better than replace for a few reasons. The largest being less likely of end user error (typos, etc).
You can also do the same sort of thing to insert ACLs, like
ldapmodify ... dn: .... add: olcAccess olcAccess: {1}access to ...
Would put a new ACL at {1} and increment all subsequent ACLs to preserve order.
Is sys_allow_pw_change an actual LDAP group (groupofNames, groupOfUniqueNames, or groupOfMembers)
ObjectClass is posixGroup and members are saved in a memberUID field:
Generally I'd advise using LDAP groups not *nix posixgroups for managing LDAP access.
I would also note that "memberUID" can be problematic if you end up with multiple entries with the same UID, an issue that DN based LDAP groups cannot encounter.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, January 17, 2022 10:30 PM +0100 cupcake@domayn.ch wrote:
But this should be resolved, as soon as I've switched everything to LDAP groups. Could you please confirm that this guide is correct for enabling the groupOfNames? https://kifarunix.com/how-to-create-openldap-member-groups/ Thank you very much!
That guide is incorrect. You haven't stated what release of OpenLDAP you're using, but I'd recommend OpenLDAP 2.5 or later. I would also try and not rely on random external documentation on how to use OpenLDAP as most of it is wrong to varying degrees.
Start with the OpenLDAP official documentation: https://www.openldap.org/
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks for the reply,
You haven't stated what release of OpenLDAP you're using
I'm using dpkg -s slapd | grep Version Version: 2.4.49+dfsg-2ubuntu1.8
Will try to migrate to LDAP groups in the next few days, will keep you updated, thanks for the help so far!
Quanah Gibson-Mount quanah@symas.com hat am 17.01.2022 22:37 geschrieben:
--On Monday, January 17, 2022 10:30 PM +0100 cupcake@domayn.ch wrote:
But this should be resolved, as soon as I've switched everything to LDAP groups. Could you please confirm that this guide is correct for enabling the groupOfNames? https://kifarunix.com/how-to-create-openldap-member-groups/ Thank you very much!
That guide is incorrect. You haven't stated what release of OpenLDAP you're using, but I'd recommend OpenLDAP 2.5 or later. I would also try and not rely on random external documentation on how to use OpenLDAP as most of it is wrong to varying degrees.
Start with the OpenLDAP official documentation: https://www.openldap.org/
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks for your help, I got it working. Actually I was using the guide I've mentioned below yesterday already.
I've then added the new group:
dn: cn=sys_allow_password_change,ou=Groups,dc=ldap,dc=example,dc=com changetype: add cn: sys_allow_password_change ou: Groups objectClass: top objectClass: groupOfNames description: tagGroup member: uid=svc_pw_change,ou=Service accounts,dc=ldap,dc=example,dc=com
and altered my first file as you suggested:
dn: olcDatabase={1}mdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to attrs=userPassword by self write by group.exact="cn=sys_allow_password_change,ou=Groups,dc=ldap,dc=example,dc=com" write by dn="cn=admin,dc=ldap,dc=example,dc=com" manage by anonymous auth by * none
Now the user is able to change everyones password, Thanks for your help!
Quanah Gibson-Mount quanah@symas.com hat am 17.01.2022 22:37 geschrieben:
--On Monday, January 17, 2022 10:30 PM +0100 cupcake@domayn.ch wrote:
But this should be resolved, as soon as I've switched everything to LDAP groups. Could you please confirm that this guide is correct for enabling the groupOfNames? https://kifarunix.com/how-to-create-openldap-member-groups/ Thank you very much!
That guide is incorrect. You haven't stated what release of OpenLDAP you're using, but I'd recommend OpenLDAP 2.5 or later. I would also try and not rely on random external documentation on how to use OpenLDAP as most of it is wrong to varying degrees.
Start with the OpenLDAP official documentation: https://www.openldap.org/
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
cupcake@domayn.ch -
Quanah Gibson-Mount