Re: OpenLDAP Group ACL

Sir,

I modified my settings and added the following group:

dn: cn=pwmanager,ou=Group,dc=mydomain,dc=com
objectClass: posixGroup
objectClass: top
cn: pwmanager
userPassword: {crypt}x
gidNumber: 550
memberUid: l_luke
memberUid: w_smith

I also modified my ACL in the slapd.conf:

access to attr=userPassword
        by self write
        by anonymous auth
        by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write
        by * none
access to *
        by self write
        by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write
        by * read

I used the same command trying to change the user's password but received the exact same error. Would you please help? You mentioned that the nisNetgroup object doesn't fit in the ACL configuration in your previous reply. I had defined netgroups looked like the following:

dn: cn=Sales,ou=Netgroup,dc=mydomain,dc=com
objectClass: nisNetgroup
objectClass: top
cn: Sales
nisNetgroupTriple: (,c_parks,mydomain.com)
nisNetgroupTriple: (,j_berryhill,mydomain.com)
nisNetgroupTriple: (,b_chen,mydomain.com)

Would there be a way for me to use the netgroup and its members for any ACL type of access?

Your help will be highly appreciated!

----- Original Message ----
From: Pierangelo Masarati <ando@sys-net.it>
To: Luke Lee <leeluke77@yahoo.com>
Cc: openldap-technical@openldap.org
Sent: Thursday, March 27, 2008 12:35:16 PM
Subject: Re: OpenLDAP Group ACL

> Hello,
>
> I'll appreciate it if any of you are willing to take time and share with
> me your experience with OpenLDAP running on a RedHat server configured
> with group ACL.
>
> I'm trying to grant a group of people (including myself) the permission to
> change user LDAP passwords. However, when I try to change a user's LDAP
> password, I received the following message:
>
> Result: Insufficient access (50)
>
> The command that I used was:
>
> ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S
> "uid=w_smith,ou=People,dc=mydomain,dc=com"
>
> My ACL settings in the slapd.conf file are:
>
> access to attr=userPassword
> by self write
> by anonymous auth
> by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
> by * none
> access to *
> by self write
> by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
> by * read
>
> My netgroup has been defined as the following:
>
> dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com
> objectClass: nisNetgroup
> objectClass: top
> cn: ITgroup
> nisNetgroupTriple: (,l_luke,mydomain.com)
> nisNetgroupTriple: (,w_smith,mydomain.com)
> nisNetgroupTriple: (,g_baker,mydomain.com)
> description: Password Keepers
>
> My user entry is:
>
> # l_luke, People mydomain.com
> dn: uid=l_luke,ou=People,dc=mydomain,dc=com
> uid: l_luke
> cn: l_luke
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> shadowLastChange: 13958
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 10005
> gidNumber: 10005
> homeDirectory: /home/l_luke
> gecos: Luke Lee
>
> Can anyone point me to the right direction or share with me the correct
> group ACL settings that you have? Thanks!

As indicated in slapd.access(5), the member attribute must have either
distinguishedName syntax (or nameAndOptionalUID syntax) or be derivated
from memberURL; it defaults to "member". It appears from your message
that you expect "nisNetgroupTriple" to be used as member attribute, but
you should specify that attribute in the ACL clause. However,
"nisNetgroupTriple" wouldn't be allowed since it doesn't comply with the
above restrictions. You need to use LDAP groups for access control;
nisNetGroup objects don't fit.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------