Hi all,
I've installed a LDAP server on my network against which all my users can authenticate. They can even change their passwords via GUI or CLI without any issue.
What I am trying to do now is allow each one of them to have an address book in their subtree.
I created a subtree in each authentication relm that looks like this
ou=Contacts,uid=user,ou=People,dc=domain,dc=ca
Their is no problem with the rootdn adding entries below this, but I am unable to get the user to be able to. In fact I can't seem to allow the user to write anywhere. Even with the lone access rule:
access to * by * write
in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I change this file)
I beleive the correct access rule for what I want is: access to dn.children="ou=People,dc=domain,dc=ca" by self write
but that doesn't work either and I figured I'd ruduce the number of unknowns by trying to give global write permission first.
A commandline test to create an entry yields this result: darryl@bison:~$ ldapadd -w ${NETPASS} -x -D "uid=darryl,ou=People,dc=domain,dc=ca" -f ~/tmp adding new entry "cn=test_test1,ou=Contacts,uid=darryl,ou=People,dc=domain,dc=ca" ldap_add: Insufficient access (50) additional info: no write access to parent
~/tmp looks like this: dn: cn=test_test1,ou=Contacts,uid=darryl,ou=People,dc=domain,dc=ca cn: test_test1 objectClass: inetOrgPerson sn: testestestets
It's not an authentication issue because if NETPASS is wrong it returns:
ldap_bind: Invalid credentials (49)
Anyone have any ideas? There must be somthing simple I am missing, but I'm stumped!
cheers, darryl
Hi,
On 07/07/2009 17:13, Darryl Moore wrote:
Hi all,
I've installed a LDAP server on my network against which all my users can authenticate. They can even change their passwords via GUI or CLI without any issue.
What I am trying to do now is allow each one of them to have an address book in their subtree.
I created a subtree in each authentication relm that looks like this
ou=Contacts,uid=user,ou=People,dc=domain,dc=ca
Their is no problem with the rootdn adding entries below this, but I am unable to get the user to be able to. In fact I can't seem to allow the user to write anywhere. Even with the lone access rule:
access to * by * write
in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I change this file)
I presume you mean slapd.conf file, not ldap.conf.
When testing this, make sure to put this rule as the *first* access rule in the slapd.conf file.
Order is important in ACLs, since the first matching rule will apply. So if your "access to * by * write" is not the first, it probably is never reached.
I beleive the correct access rule for what I want is: access to dn.children="ou=People,dc=domain,dc=ca" by self write
A quick excerpt from the admin guide:
To add or delete an entry, the subject must have write access to the entry's entry attribute AND must have write access to the entry's parent's children attribute.
Be careful of "self" as well, it only represents the current user's entry, not it's children/etc.
Hope this helps, Jonathan
Thanks again, I think I figured it out. I made some edits to the olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to the database. (It sure does help when you read the right set of instructions)
Unfortunately I somehow seem to have corrupted the database too. Now when I restart the server I get the following in syslog.
----------------------
Jul 8 08:27:30 bison slapd[11407]: @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $ ^Ibuildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd Jul 8 08:27:30 bison slapd[11408]: bdb_db_open: database "dc=moores,dc=ca" cannot be opened, err 13. Restore from backup! Jul 8 08:27:30 bison slapd[11408]: bdb(dc=moores,dc=ca): txn_checkpoint interface requires an environment configured for the transaction subsystem Jul 8 08:27:30 bison slapd[11408]: bdb_db_close: database "dc=moores,dc=ca": txn_checkpoint failed: Invalid argument (22). Jul 8 08:27:30 bison slapd[11408]: backend_startup_one: bi_db_open failed! (13) Jul 8 08:27:30 bison slapd[11408]: bdb_db_close: database "dc=moores,dc=ca": alock_close failed Jul 8 08:27:30 bison slapd[11408]: slapd stopped.
----------------------
Interestingly if I run slapd from the commandline instead of in the background it still works. (Though possibly in read only mode I'm not sure) Why does it not work when run from /etc/init.d too?
I came across this post WRT how to fix the database:
http://techarold.blogspot.com/2006/07/more-openldap-recovery.html
and it suggesting running a utility called slapd_db_recover. There is no such utility on my system nor in any of the Ubuntu repos that I can see. Is this something that is suppose to come with openLdap?
cheers, darryl
P.S. It is too bad this list is configured as it is. I got several replies to my initial query but most came back as private emails. One of the benefits of email lists is that others can gain insight simply by following a conversation without having to participate, but if the default reply is to the sender rather than the list then most of the time the list subscribers will never see them.
Jonathan Clarke wrote:
Hi,
On 07/07/2009 17:13, Darryl Moore wrote:
Hi all,
I've installed a LDAP server on my network against which all my users can authenticate. They can even change their passwords via GUI or CLI without any issue.
What I am trying to do now is allow each one of them to have an address book in their subtree.
I created a subtree in each authentication relm that looks like this
ou=Contacts,uid=user,ou=People,dc=domain,dc=ca
Their is no problem with the rootdn adding entries below this, but I am unable to get the user to be able to. In fact I can't seem to allow the user to write anywhere. Even with the lone access rule:
access to * by * write
in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I change this file)
I presume you mean slapd.conf file, not ldap.conf.
When testing this, make sure to put this rule as the *first* access rule in the slapd.conf file.
Order is important in ACLs, since the first matching rule will apply. So if your "access to * by * write" is not the first, it probably is never reached.
I beleive the correct access rule for what I want is: access to dn.children="ou=People,dc=domain,dc=ca" by self write
A quick excerpt from the admin guide:
To add or delete an entry, the subject must have write access to the entry's entry attribute AND must have write access to the entry's parent's children attribute.
Be careful of "self" as well, it only represents the current user's entry, not it's children/etc.
Hope this helps, Jonathan
Hi again,
On 08/07/2009 15:24, Darryl Moore wrote:
Thanks again, I think I figured it out. I made some edits to the olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to the database. (It sure does help when you read the right set of instructions)
Unfortunately I somehow seem to have corrupted the database too. Now when I restart the server I get the following in syslog.
Jul 8 08:27:30 bison slapd[11407]: @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $ ^Ibuildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd Jul 8 08:27:30 bison slapd[11408]: bdb_db_open: database "dc=moores,dc=ca" cannot be opened, err 13. Restore from backup! Jul 8 08:27:30 bison slapd[11408]: bdb(dc=moores,dc=ca): txn_checkpoint interface requires an environment configured for the transaction subsystem Jul 8 08:27:30 bison slapd[11408]: bdb_db_close: database "dc=moores,dc=ca": txn_checkpoint failed: Invalid argument (22). Jul 8 08:27:30 bison slapd[11408]: backend_startup_one: bi_db_open failed! (13) Jul 8 08:27:30 bison slapd[11408]: bdb_db_close: database "dc=moores,dc=ca": alock_close failed Jul 8 08:27:30 bison slapd[11408]: slapd stopped.
Interestingly if I run slapd from the commandline instead of in the background it still works. (Though possibly in read only mode I'm not sure) Why does it not work when run from /etc/init.d too?
Sounds like a permissions problem. Often, distributions choose to run slapd as a specific user (ldap, for example). Thus, the files in your database must belong to that user. Try chown-ing /var/lib/ldap/*.
I came across this post WRT how to fix the database:
http://techarold.blogspot.com/2006/07/more-openldap-recovery.html
and it suggesting running a utility called slapd_db_recover. There is no such utility on my system nor in any of the Ubuntu repos that I can see. Is this something that is suppose to come with openLdap?
No, it a BerkeleyDB tool, and comes with BerkeleyDB. On Ubuntu, the packages are named db4.X-utils, where 4.X is the version of BerkeleyDB you're using (4.2, 4.4, 4.5, 4.6 or 4.7). The utilities are then named db4.X_recover, for example. Install the version matching the libdb4.X packet that your slapd depends on.
However, since version 2.3 of OpenLDAP, a database recover is done automatically on startup, so this won't solve your problem here.
P.S. It is too bad this list is configured as it is. I got several replies to my initial query but most came back as private emails. One of the benefits of email lists is that others can gain insight simply by following a conversation without having to participate, but if the default reply is to the sender rather than the list then most of the time the list subscribers will never see them.
Agreed. Good habits and good email software should encourage replying to the list... Maybe setting a default reply-to would help with that.
Regards, Jonathan
Jonathan Clarke wrote:
Hi,
On 07/07/2009 17:13, Darryl Moore wrote:
Hi all,
I've installed a LDAP server on my network against which all my users can authenticate. They can even change their passwords via GUI or CLI without any issue.
What I am trying to do now is allow each one of them to have an address book in their subtree.
I created a subtree in each authentication relm that looks like this
ou=Contacts,uid=user,ou=People,dc=domain,dc=ca
Their is no problem with the rootdn adding entries below this, but I am unable to get the user to be able to. In fact I can't seem to allow the user to write anywhere. Even with the lone access rule:
access to * by * write
in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I change this file)
I presume you mean slapd.conf file, not ldap.conf.
When testing this, make sure to put this rule as the *first* access rule in the slapd.conf file.
Order is important in ACLs, since the first matching rule will apply. So if your "access to * by * write" is not the first, it probably is never reached.
I beleive the correct access rule for what I want is: access to dn.children="ou=People,dc=domain,dc=ca" by self write
A quick excerpt from the admin guide:
To add or delete an entry, the subject must have write access to the entry's entry attribute AND must have write access to the entry's parent's children attribute.
Be careful of "self" as well, it only represents the current user's entry, not it's children/etc.
Hope this helps, Jonathan
Well with a bunch of reading and even more experimentation I have been able to set up access to individual users Address Books. with the following rule:
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write b$
I want to set up a seperate address book below various user groups as well, and give write access only to the members. I think the following will work.
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca$" write
Two questions.
First do both these rules look reasonable? Are there any glaring security holes I'm missing? I think I have it right.
Two. Once I have this working I want to be able to set up various users as administrators to groups. (As you can do with gpasswd/gshadow in Linux) I looked around a lot, but have not seen anything that appears to allow you to do this with LDAP. Am I going to need to modify schemas to do this? <gulp>
Wow, I may be ready for my LPIC3 once I've figured all this out.
cheers, darryl
Darryl Moore wrote:
Thanks again, I think I figured it out. I made some edits to the olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to the database. (It sure does help when you read the right set of instructions)
Opps my bad, I cut and past the rules wrong
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca" write by * read
cheers, darryl
Darryl Moore wrote:
Well with a bunch of reading and even more experimentation I have been able to set up access to individual users Address Books. with the following rule:
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write b$
I want to set up a seperate address book below various user groups as well, and give write access only to the members. I think the following will work.
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca$" write
Two questions.
First do both these rules look reasonable? Are there any glaring security holes I'm missing? I think I have it right.
Two. Once I have this working I want to be able to set up various users as administrators to groups. (As you can do with gpasswd/gshadow in Linux) I looked around a lot, but have not seen anything that appears to allow you to do this with LDAP. Am I going to need to modify schemas to do this? <gulp>
Wow, I may be ready for my LPIC3 once I've figured all this out.
cheers, darryl
Darryl Moore wrote:
Thanks again, I think I figured it out. I made some edits to the olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to the database. (It sure does help when you read the right set of instructions)
Of course my group access rule failed miserably with the following error from slapd:
/etc/ldap/slapd.d: line 1: group "cn=$1,ou=Groups,dc=moores,dc=ca" attr "memberUid": inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26; must be 1.3.6.1.4.1.1466.115.121.1.12 (DN), 1.3.6.1.4.1.1466.115.121.1.34 (NameUID) or a subtype of labeledURI.
It also gave me a warning for the first rule for user address books which I hadn't noticed before:
/etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.base,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
I have no idea what this means. Guess I'll google it.
Darryl Moore wrote:
Opps my bad, I cut and past the rules wrong
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca" write by * read
cheers, darryl
Darryl Moore wrote:
Well with a bunch of reading and even more experimentation I have been able to set up access to individual users Address Books. with the following rule:
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write b$
I want to set up a seperate address book below various user groups as well, and give write access only to the members. I think the following will work.
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca$" write
Two questions.
First do both these rules look reasonable? Are there any glaring security holes I'm missing? I think I have it right.
Two. Once I have this working I want to be able to set up various users as administrators to groups. (As you can do with gpasswd/gshadow in Linux) I looked around a lot, but have not seen anything that appears to allow you to do this with LDAP. Am I going to need to modify schemas to do this? <gulp>
Wow, I may be ready for my LPIC3 once I've figured all this out.
cheers, darryl
Darryl Moore wrote:
Thanks again, I think I figured it out. I made some edits to the olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to the database. (It sure does help when you read the right set of instructions)
I still haven't figured out what the warning is for olcAccess:{1}, but I have figured out my group access problem.
I wanted to use posixGroup/memberUid because I'm using Linux groups so that made sense. However the members have to be full dn="uid=mouse0,ou=Users,dc=my,dc=domain" format, hence the need to use groupofNames/member (which is the default)
The problem left to me now is how I automate the mapping of posixGroup/MemberUid --> groupofNames/member when I create or change group memberships (which could happen frequently). I guess I'll have to make changes to the ldapaddusertogroup script, unless someone here knows a better way.
thanks darryl
P.S. sorry for all the repliess to myself. I tend to talk to myself a lot. `~`
Darryl Moore wrote:
Of course my group access rule failed miserably with the following error from slapd:
/etc/ldap/slapd.d: line 1: group "cn=$1,ou=Groups,dc=moores,dc=ca" attr "memberUid": inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26; must be 1.3.6.1.4.1.1466.115.121.1.12 (DN), 1.3.6.1.4.1.1466.115.121.1.34 (NameUID) or a subtype of labeledURI.
It also gave me a warning for the first rule for user address books which I hadn't noticed before:
/etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.base,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
I have no idea what this means. Guess I'll google it.
Darryl Moore wrote:
Opps my bad, I cut and past the rules wrong
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca" write by * read
cheers, darryl
Darryl Moore wrote:
Well with a bunch of reading and even more experimentation I have been able to set up access to individual users Address Books. with the following rule:
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write b$
I want to set up a seperate address book below various user groups as well, and give write access only to the members. I think the following will work.
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca$" write
Two questions.
First do both these rules look reasonable? Are there any glaring security holes I'm missing? I think I have it right.
Two. Once I have this working I want to be able to set up various users as administrators to groups. (As you can do with gpasswd/gshadow in Linux) I looked around a lot, but have not seen anything that appears to allow you to do this with LDAP. Am I going to need to modify schemas to do this? <gulp>
Wow, I may be ready for my LPIC3 once I've figured all this out.
cheers, darryl
Darryl Moore wrote:
Thanks again, I think I figured it out. I made some edits to the olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to the database. (It sure does help when you read the right set of instructions)
Sigh, except I get this error when I add the new objectClass:
invalid structural object class chain (posixGroup/groupOfNames)
which means that I can't have both these object classes together. Now I'm stumped. How do I set up group access privileges based on unix group membership? Is there no way to do this?
I promise, if somebody replies to any of these posts I'll stop nattering to myself in your presence. :-(
cheers, darryl
Darryl Moore wrote:
I still haven't figured out what the warning is for olcAccess:{1}, but I have figured out my group access problem.
I wanted to use posixGroup/memberUid because I'm using Linux groups so that made sense. However the members have to be full dn="uid=mouse0,ou=Users,dc=my,dc=domain" format, hence the need to use groupofNames/member (which is the default)
The problem left to me now is how I automate the mapping of posixGroup/MemberUid --> groupofNames/member when I create or change group memberships (which could happen frequently). I guess I'll have to make changes to the ldapaddusertogroup script, unless someone here knows a better way.
thanks darryl
P.S. sorry for all the repliess to myself. I tend to talk to myself a lot. `~`
Darryl Moore wrote:
Of course my group access rule failed miserably with the following error from slapd:
/etc/ldap/slapd.d: line 1: group "cn=$1,ou=Groups,dc=moores,dc=ca" attr "memberUid": inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26; must be 1.3.6.1.4.1.1466.115.121.1.12 (DN), 1.3.6.1.4.1.1466.115.121.1.34 (NameUID) or a subtype of labeledURI.
It also gave me a warning for the first rule for user address books which I hadn't noticed before:
/etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.base,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
I have no idea what this means. Guess I'll google it.
Darryl Moore wrote:
Opps my bad, I cut and past the rules wrong
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca" write by * read
cheers, darryl
Darryl Moore wrote:
Well with a bunch of reading and even more experimentation I have been able to set up access to individual users Address Books. with the following rule:
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write b$
I want to set up a seperate address book below various user groups as well, and give write access only to the members. I think the following will work.
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca$" write
Two questions.
First do both these rules look reasonable? Are there any glaring security holes I'm missing? I think I have it right.
Two. Once I have this working I want to be able to set up various users as administrators to groups. (As you can do with gpasswd/gshadow in Linux) I looked around a lot, but have not seen anything that appears to allow you to do this with LDAP. Am I going to need to modify schemas to do this? <gulp>
Wow, I may be ready for my LPIC3 once I've figured all this out.
cheers, darryl
Darryl Moore wrote:
Thanks again, I think I figured it out. I made some edits to the olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to the database. (It sure does help when you read the right set of instructions)
openldap-technical@openldap.org
-
Darryl Moore -
Jonathan Clarke