Hi,
may be the subject doesn't give back my real quastion... and may be this is a returned topic... sorry.
Scenario: there is a database with several DC's, all DC's divided to several OU's, and most OU contains several other OU's.
dc=hu + dc=company1 + dc=company2 + dc = sub-company21 + ou = orgunit1 + ou = orgunit2 + ou = orgunit3
and there are several users.
Take a look two examples:
uid=admin1,ou=some-org,dc=sub-company21,dc=company2,dc=hu needs to read the ou=orgunit1 and ou=orgunit2.
uid=admin2,ou=some-org,dc=sub-company21,dc=company2,dc=hu needs to read full dc=sub-company21 subtree.
All of them are WORKING now as well with ACL's.
But now, the admin1 user needs to set up two different connections in GUI browser, because he can't set up the dc=sub-company21,dc=company2,dc=hu as baseDN.
When he uses the search through API, then he needs to make 2 different lookup to collect all nodes from DB, and merge them.
Is there any way to set up one or more ACL's, where admin1 user can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and can start to search from there, but he will see the entries only from ou=orgunit1 and ou=orgunit2?
Hope that's clear...
Thanks,
a.
Hi again,
On Wed, May 09, 2018 at 01:00:05PM +0200, Ervin Hegedüs wrote:
Hi,
[...]
Is there any way to set up one or more ACL's, where admin1 user can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and can start to search from there, but he will see the entries only from ou=orgunit1 and ou=orgunit2?
if there isn't any solution with ACL, can I make it some other way? I mean, back_meta, rewrite, or other overlay solutions...?
Thanks,
a.
On Thu, 10 May 2018, Ervin Hegedüs wrote:
On Wed, May 09, 2018 at 01:00:05PM +0200, Ervin Hegedüs wrote:
Is there any way to set up one or more ACL's, where admin1 user can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and can start to search from there, but he will see the entries only from ou=orgunit1 and ou=orgunit2?
if there isn't any solution with ACL, can I make it some other way? I mean, back_meta, rewrite, or other overlay solutions...?
An LDAP filter can test the components of an entry's DN with a clause such as: (|(ou:dn:=orgunit1)(ou:dn:=orgunit2))
Note the ":dn" syntax there.
Perhaps an ACL using an LDAP filter containing something like that would be part of a solution.
Philip Guenther
Hi Philip,
thanks for the reply,
On Thu, May 10, 2018 at 09:12:18AM -0700, Philip Guenther wrote:
On Thu, 10 May 2018, Ervin Hegedüs wrote:
On Wed, May 09, 2018 at 01:00:05PM +0200, Ervin Hegedüs wrote:
Is there any way to set up one or more ACL's, where admin1 user can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and can start to search from there, but he will see the entries only from ou=orgunit1 and ou=orgunit2?
if there isn't any solution with ACL, can I make it some other way? I mean, back_meta, rewrite, or other overlay solutions...?
An LDAP filter can test the components of an entry's DN with a clause such as: (|(ou:dn:=orgunit1)(ou:dn:=orgunit2))
Note the ":dn" syntax there.
thanks - it doesn't work.
ldapsearch -H ldaps://ldap:636 -b "dc=sub-company21,dc=company,dc=hu" -D "cn=admin,dc=hu" -W "(ou:dn:=orgunit1)"
works, and the result reduced only for the OU=orgunit1,dc=sub-....
so, the syntax (and idea :)) is right.
ldapsearch -H ldaps://ldap:636 -b "ou=orgunit1,dc=sub-company21,dc=company2,dc=hu" -D "uid=adminuser1,ou=Users,ou=_srv,dc=sub-company21,dc=company2,dc=hu" -W "(ou:dn:=orgunit1)"
also works, but the baseDN starts with "ou=orgunit1", which is sets up exactly in ACL.
finally,
ldapsearch -H ldaps://ldap:636 -b "dc=sub-company21,dc=company2,dc=hu" -D "uid=adminuser1,ou=Users,ou=_srv,dc=sub-company21,dc=company2,dc=hu" -W "(ou:dn:=orgunit1)"
where the baseDN is the parent of allowed OU's, and filter contains the allowed OU('s), then it doesn't work.
Note, that if it should worked, I'm not sure that this could be usable, because in most LDAP GUI, the connection settings doesn't contains any filter option, only the baseDN, what you can set up.
Perhaps an ACL using an LDAP filter containing something like that would be part of a solution.
could you show me any example?
Thanks for your help,
a.
Hi,
On Thu, May 10, 2018 at 06:02:48PM +0200, Ervin Hegedüs wrote:
Hi again,
On Wed, May 09, 2018 at 01:00:05PM +0200, Ervin Hegedüs wrote:
Hi,
[...]
Is there any way to set up one or more ACL's, where admin1 user can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and can start to search from there, but he will see the entries only from ou=orgunit1 and ou=orgunit2?
if there isn't any solution with ACL, can I make it some other way? I mean, back_meta, rewrite, or other overlay solutions...?
I'm playing with aliases, thought I can make it with it.
The tree:
dn: ou=orgunit1,dc=sub-company21,dc=company2,dc=hu dn: ou=orgunit2,dc=sub-company21,dc=company2,dc=hu dn: ou=orgunit3,dc=sub-company21,dc=company2,dc=hu
and the new "collection": dn: ou=collection1,dc=sub-company21,dc=company2,dc=hu
I'ld like to add an alias from ou=orgunit1 under ou=collection1:
dn: ou=orgunit1,dc=sub-company21,dc=company2,dc=hu changetype: add objectClass: alias objectClass: top objectClass: organizationalUnit aliasedObjectName: ou=orgunit1,ou=collection1,dc=sub-company21,dc=company2,dc=hu
but the ldapadd gives:
invalid structural object class chain (alias/organizationalUnit)
I've tried to add the alias as dn=aliased_name, and aliasedObjectName is the original, but same result.
How can I add the OU alias, with all children?
Thanks,
a.
Am Sun, 13 May 2018 09:42:22 +0200 schrieb Ervin Hegedüs airween@gmail.com:
Hi,
On Thu, May 10, 2018 at 06:02:48PM +0200, Ervin Hegedüs wrote:
Hi again,
On Wed, May 09, 2018 at 01:00:05PM +0200, Ervin Hegedüs wrote:
Hi,
[...]
Is there any way to set up one or more ACL's, where admin1 user can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and can start to search from there, but he will see the entries only from ou=orgunit1 and ou=orgunit2?
if there isn't any solution with ACL, can I make it some other way? I mean, back_meta, rewrite, or other overlay solutions...?
I'm playing with aliases, thought I can make it with it.
The tree:
dn: ou=orgunit1,dc=sub-company21,dc=company2,dc=hu dn: ou=orgunit2,dc=sub-company21,dc=company2,dc=hu dn: ou=orgunit3,dc=sub-company21,dc=company2,dc=hu
and the new "collection": dn: ou=collection1,dc=sub-company21,dc=company2,dc=hu
I'ld like to add an alias from ou=orgunit1 under ou=collection1:
dn: ou=orgunit1,dc=sub-company21,dc=company2,dc=hu changetype: add objectClass: alias objectClass: top objectClass: organizationalUnit aliasedObjectName: ou=orgunit1,ou=collection1,dc=sub-company21,dc=company2,dc=hu
but the ldapadd gives:
invalid structural object class chain (alias/organizationalUnit)
I've tried to add the alias as dn=aliased_name, and aliasedObjectName is the original, but same result.
How can I add the OU alias, with all children?
Objectclasses aliasedObjectName and organizationalUnit are both structural Objectclasses, try to add auxiliary object classes, or create your own classes. Some documentation include extensibleObject class, but this would create additional security questions.
-Dieter
Hi Dieter,
thanks for the reply,
On Sun, May 13, 2018 at 06:17:08PM +0200, Dieter Klünter wrote:
Am Sun, 13 May 2018 09:42:22 +0200 schrieb Ervin Hegedüs airween@gmail.com:
How can I add the OU alias, with all children?
Objectclasses aliasedObjectName and organizationalUnit are both structural Objectclasses, try to add auxiliary object classes, or create your own classes. Some documentation include extensibleObject class, but this would create additional security questions.
the solution:
dn: ou=collection1,dc=sub-company21,dc=company2,dc=hu changetype: add objectClass: organizationalUnit objectClass: top ou: collection1
dn: ou=orgunit1,ou=collection1,dc=sub-company21,dc=company2,dc=hu changetype: add aliasedObjectName: ou=orgunit1,dc=sub-company21,dc=company2,dc=hu objectClass: alias objectClass: top objectClass: extensibleObject ou: orgunit1
And one more thing: it must be pass the "-a always" argument to ldapsearch to use that subtree. User needs access to ou=collection1.
Thanks,
a.
openldap-technical@openldap.org
-
Dieter Klünter -
Ervin Hegedüs -
Philip Guenther