[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access control
Am Mon, 31 Jan 2011 10:54:55 +0100
schrieb Thomas Schweikle <tps@vr-web.de>:
> Am 31.01.2011 08:29, schrieb Dieter Kluenter:
> > Am Sun, 30 Jan 2011 23:36:13 +0100
> > schrieb Thomas Schweikle <tps@vr-web.de>:
> >
> >> Hi!
> >>
> >> I am trying to set up access control for an OpenLDAP server. I'd
> >> like to use a Group to set up users allowed to access and write to
> >> entries inside my tree:
> >>
> >> I've created the group:
> >> dn: cn=administrators,dc=example,dc=com
> >> cn: administrators
> >> objectclass: groupOfNames (important for the group acl feature)
> >> member: cn=user1,ou=Users,dc=example,dc=com
> >> member: cn=user2,ou=Users,dc=example,dc=com
> >>
> >> in
> >> dn: olcDatabase=hdb,cn=config
> >> objectClass: olcDatabaseConfig
> >> objectClass: olcHdbConfig
> >> olcDatabase: hdb
> >> olcDbDirectory: /var/lib/ldap
> >> olcSuffix: dc=example,dc=com
> >> olcRootDN: cn=adm,dc=example,dc=com
> >> olcRootPW: ${admpw}
> >> olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey
> >> by group.exact="cn=administrators,dc=example,dc=com" write
> >> by dn="cn=adm,dc=example,dc=com" write
> >> by anonymous auth
> >> by self write
> >> by * none
> >> olcAccess: to dn.base=""
> >> by * read
> >> olcAccess: to *
> >> by group.exact="cn=administrators,dc=example,dc=com" write
> >> by dn="cn=adm,dc=example,dc=com" write
> >> by * read
> >>
> >> Now trying to access "userPassword" from any user inside the tree
> >> "ou=Users,dc=example,dc=com".
> >> 1. The password field is empty -- it should hold a value
> >> 2. Entering a value, then pressing apply: "Error modifying
> >> 'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
> >>
> >> I'd expected to have access to "userPassword" and I am allowed to
> >> write this value. Why does it not work if I log in with user1?
> >>
> > http://www.openldap.org/faq/data/cache/189.html
> Had found this, read it, but got no additional information out of
> it. I'd like to have access to the database for some people only.
> Mainly to reset passwords. I've tried. It did not work. I'd read the
> chapters in the admin manual. Didn't help. I am asking the list ---
> and I am redirected to these, already known documents. Doesn't help
> either.
>
> > http://www.openldap.org/faq/data/cache/52.html
> I've found this, read it, modified it to match my data, imported it.
> And noticed it not changing anything. AFAIK i shall have access to
> change the password of existing users. In reality I do not even have
> access to read the password???
>
> At the moment I am having:
> olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey
> by dn="cn=adm,dc=example,dc=com" write
> by group.exact="cn=administrators,dc=example,dc=com" write
> by anonymous auth
> by self write
> by * none
>
> cn=adm,dc=example,dc=com has write access to attributes,
> Members of group cn=administrators,dc=example,dc=com have write
> access, the one who is authenticated his cn has write access.
> Anonymous users can authenticate.
> All authenticated users may read.
> All non authenticated users do not have any access at all.
>
>
> olcAccess: {1}to dn.base=""
> by * read
This is access to rootdn, which is required to read the servers
capabilities
> Anyone may read the tree from dn.base on.
>
>
> olcAccess: {2}to *
> by dn="cn=adm,dc=example,dc=com" write
> by group.exact="cn=administrators,dc=example,dc=com" write
> by * read
It is not quite clear whether this is supposed to be a global or a
database specific access rule. It should be a database specific rule
set.
dn: olcDatabase=hdb,cn=config
...
olcAccess:to dn.subtree=dc=example,dc=com by \
group/groupOfNames/member.exact=cn=administrators,dc=example,dc=com \
write by dn.exact=cn=adm,dc=example,dc=com write by users read
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E