[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP Access controls
Sigh, except I get this error when I add the new objectClass:
invalid structural object class chain (posixGroup/groupOfNames)
which means that I can't have both these object classes together. Now
I'm stumped. How do I set up group access privileges based on unix group
membership? Is there no way to do this?
I promise, if somebody replies to any of these posts I'll stop nattering
to myself in your presence. :-(
cheers,
darryl
Darryl Moore wrote:
> I still haven't figured out what the warning is for olcAccess:{1}, but I
> have figured out my group access problem.
>
> I wanted to use posixGroup/memberUid because I'm using Linux groups so
> that made sense. However the members have to be full
> dn="uid=mouse0,ou=Users,dc=my,dc=domain" format, hence the need to use
> groupofNames/member (which is the default)
>
> The problem left to me now is how I automate the mapping of
> posixGroup/MemberUid --> groupofNames/member when I create or change
> group memberships (which could happen frequently). I guess I'll have to
> make changes to the ldapaddusertogroup script, unless someone here knows
> a better way.
>
> thanks
> darryl
>
> P.S. sorry for all the repliess to myself. I tend to talk to myself a
> lot. `~`
>
> Darryl Moore wrote:
>> Of course my group access rule failed miserably with the following error
>> from slapd:
>>
>> /etc/ldap/slapd.d: line 1: group "cn=$1,ou=Groups,dc=moores,dc=ca" attr
>> "memberUid": inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26; must
>> be 1.3.6.1.4.1.1466.115.121.1.12 (DN), 1.3.6.1.4.1.1466.115.121.1.34
>> (NameUID) or a subtype of labeledURI.
>>
>>
>> It also gave me a warning for the first rule for user address books
>> which I hadn't noticed before:
>>
>> /etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the
>> ACL scope within backend naming context
>> Backend ACL: access to
>> dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$"
>> by dn.base,expand="uid=$1,ou=People,dc=moores,dc=ca" write
>> by * read
>>
>> I have no idea what this means. Guess I'll google it.
>>
>>
>> Darryl Moore wrote:
>>> Opps my bad, I cut and past the rules wrong
>>>
>>> olcAccess: {1}to
>>> dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
>>> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
>>>
>>>
>>>
>>> olcAccess: {2}to
>>> dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
>>> group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca" write by * read
>>>
>>>
>>> cheers,
>>> darryl
>>>
>>> Darryl Moore wrote:
>>>> Well with a bunch of reading and even more experimentation I have been
>>>> able to set up access to individual users Address Books. with the
>>>> following rule:
>>>>
>>>> olcAccess: {1}to
>>>> dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
>>>> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write b$
>>>>
>>>> I want to set up a seperate address book below various user groups as
>>>> well, and give write access only to the members. I think the following
>>>> will work.
>>>>
>>>> olcAccess: {2}to
>>>> dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
>>>> group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca$" write
>>>>
>>>> Two questions.
>>>>
>>>> First do both these rules look reasonable? Are there any glaring
>>>> security holes I'm missing? I think I have it right.
>>>>
>>>> Two. Once I have this working I want to be able to set up various users
>>>> as administrators to groups. (As you can do with gpasswd/gshadow in
>>>> Linux) I looked around a lot, but have not seen anything that appears to
>>>> allow you to do this with LDAP. Am I going to need to modify schemas to
>>>> do this? <gulp>
>>>>
>>>> Wow, I may be ready for my LPIC3 once I've figured all this out.
>>>>
>>>> cheers,
>>>> darryl
>>>>
>>>> Darryl Moore wrote:
>>>>> Thanks again, I think I figured it out. I made some edits to the
>>>>> olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to
>>>>> the database. (It sure does help when you read the right set of
>>>>> instructions)
>>>>>