[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Group ACL



> Hello,
>
> I'll appreciate it if any of you are willing to take time and share with
> me your experience with OpenLDAP running on a RedHat server configured
> with group ACL.
>
> I'm trying to grant a group of people (including myself) the permission to
> change user LDAP passwords. However, when I try to change a user's LDAP
> password, I received the following message:
>
> Result: Insufficient access (50)
>
> The command that I used was:
>
> ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S
> "uid=w_smith,ou=People,dc=mydomain,dc=com"
>
> My ACL settings in the slapd.conf file are:
>
> access to attr=userPassword
>         by self write
>         by anonymous auth
>         by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
>         by * none
> access to *
>         by self write
>         by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
>         by * read
>
> My netgroup has been defined as the following:
>
> dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com
> objectClass: nisNetgroup
> objectClass: top
> cn: ITgroup
> nisNetgroupTriple: (,l_luke,mydomain.com)
> nisNetgroupTriple: (,w_smith,mydomain.com)
> nisNetgroupTriple: (,g_baker,mydomain.com)
> description: Password Keepers
>
> My user entry is:
>
> # l_luke, People mydomain.com
> dn: uid=l_luke,ou=People,dc=mydomain,dc=com
> uid: l_luke
> cn: l_luke
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> shadowLastChange: 13958
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 10005
> gidNumber: 10005
> homeDirectory: /home/l_luke
> gecos: Luke Lee
>
> Can anyone point me to the right direction or share with me the correct
> group ACL settings that you have? Thanks!

As indicated in slapd.access(5), the member attribute must have either
distinguishedName syntax (or nameAndOptionalUID syntax) or be derivated
from memberURL; it defaults to "member".  It appears from your message
that you expect "nisNetgroupTriple" to be used as member attribute, but
you should specify that attribute in the ACL clause.  However,
"nisNetgroupTriple" wouldn't be allowed since it doesn't comply with the
above restrictions.  You need to use LDAP groups for access control;
nisNetGroup objects don't fit.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------