[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: cn=config ACL consultation (BUG)
Addendum :
Ldap is up and running with my configuration :
[root@ldap2]# ps auxwww | grep slapd
ldap 17190 0.0 1.1 426480 44384 ? Ssl Nov14 0:05
/usr/sbin/slapd -h ldap:/// -u ldap
And the directory sounds to respond exactly as I wish to usual queries.
However, here is a slapcat output :
[root@ldap2]/usr/sbin/slapcat -F /etc/openldap/slapd.d -l ldap-conf.ldif
PROXIED attributeDescription "OU" inserted.
PROXIED attributeDescription "DC" inserted.
olcSyncrepl: value #0: rootDN must be defined before syncrepl may be used
config error processing olcDatabase={1}bdb,cn=config: rootDN must be
defined before syncrepl may be used slapcat: bad configuration
directory!
I checked and that's true that the synchronisation doesn't work
properly anymore.
I had to reinserted this to have everything working well :
dn: olcDatabase={1}bdb,cn=config
OlcrootDN cn=Manager,dc=example,dc=fr
( no need for OlcrootPW)
--
Olivier
On Mon, Nov 14, 2011 at 5:15 PM, Olivier Guillard
<olivier@guillard.nom.fr> wrote:
> Hi there,
>
> I would like to have your feeling or advices about the following acl
> strategy for ldap administration issues (cn=config and actual directory
> administration). I have tested that and it sounds to work properly :
>
> My idea is to create two groups of people : one for those
> that administrates accounts in the directory, and another for
> those that are able to tune "cn=config"
>
> Basically, I have the following DIT : cn=config and dn: dc=example,dc=fr
>
> I have then created two "groupOfnames" (admin-ldap and
> admin-dir) and tuned ACL so that : directory admins can modify
> accounts and ldap admins can modify "slapd.d"
>
> I also have removed RootDN as well as RootPW both in :
> olcDatabase={0}config,cn=config
> as well as in
> olcDatabase={1}bdb,cn=config
>
> so that maintenance operation are not performed as "RootDN"
> anymore.
>
> ANY REACTIONS OR ADVICES ON THAT ?
>
>
> HARE IS HOW I HAVE TUNED THAT :
>
> # Entries for the two groupofnames :
>
> dn: cn=admin-dir,ou=system,dc=example,dc=fr
> cn: admin-dir
> member: uid=guillard,ou=people,dc=example,dc=fr
> member: uid=foo,ou=people,dc=example,dc=fr
> member: uid=shmol,ou=people,dc=example,dc=fr
> objectclass: groupOfNames
> objectclass: top
>
> dn: cn=admin-ldap,ou=system,dc=example,dc=fr
> cn: admin-ldap
> member: uid=guillard,ou=staff,ou=people,dc=example,dc=fr
> member: uid=pick,ou=staff,ou=people,dc=example,dc=fr
> objectclass: groupOfNames
> objectclass: top
>
>
> ### ACL :
>
> dn: olcDatabase={0}config,cn=config
> objectclass: olcDatabaseConfig
> olcaccess: {0}to * by group.exact="cn=admin-ldap,ou=system,dc=example
> ,dc=fr" write by * none
> ...
>
> ### And :
>
> dn: olcDatabase={1}bdb,cn=config
> objectclass: olcDatabaseConfig
> objectclass: olcBdbConfig
> ...
> olcaccess: {0}to dn.base="dc=example,dc=fr" by
> group.exact="cn=admin-ldap,ou=system,dc=example,dc=fr" write
> by group.exact="cn=admin-dir,ou=system,dc=example,dc=fr" read
> by dn.base="cn=replication,ou=system,dc=example,dc=fr" read
> by * search
> olcaccess: {1}to dn.one="dc=example,dc=fr"
> by group.exact="cn=admin-ldap,ou=system,dc=example,dc=fr" write
> by group.exact="cn=admin-dir,ou=system,dc=example,dc=fr" read
> by dn.base="cn=replicator,ou=system,dc=example,dc=fr"
> read by users search
> by anonymous auth
>
> ### then :
> olcaccess: {2}to dn.subtree="ou=system,dc=example,dc=fr"
> by group.exact="cn=admin-ldap,ou=system,dc=example,dc=fr" write
> by dn.base="cn=replicator,ou=system,dc=example,dc=fr" read by * none
>
> ### and :
> olcaccess: {3}to dn.subtree="dc=example,dc=fr"
> attrs=userPassword,shadowLastChange,loginShell
> by group.exact="cn=admin-annuaire,ou=system,dc=example,dc=fr" write
> by self write by dn.base="cn=replicator,ou=system,dc=example,dc=fr"
> read by users auth by anonymous auth
>
> ### finally :
> olcaccess: {4}to dn.subtree="dc=example,dc=fr"
> by group.exact="cn=admin-annuaire,ou=system,dc=example,dc=fr"
> write by dn.base="cn=replicator,ou=system,dc=example,dc=fr"
> read by users read by anonymous read
>