[Date Prev][Date Next] [Chronological] [Thread] [Top]

Usage of groups in an access control

To: openldap-technical@openldap.org
Subject: Usage of groups in an access control
From: Marco de Booij <marco.maillist@debooy.eu>
Date: Sun, 27 Jan 2013 11:54:29 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=scarlet.be; s=scarlet; t=1359284070; bh=jkgBXbcqiOIOrTlZlGNHE5AnKToerfmH7Vw50VYcMzA=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=bafjT7D9xkrZMXN+TJ0KX1xpdE+7wSd9Vvu2GnuADDs+l+2tFo6rXBBTpz8T2+7SV 5CROzM/xdb+s8rDUBxxc4ZT85RjyqCeRJTox/IXJA/dUVes9nDca97B2UlGOrvzU1v OCuHsNiWbc8wHclm1nd5+3kD+gDdzmQwUoq+sWq8=
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2

I use openLDAP already for years to store my users so I have to definethem only once. The users can logon to both Linux and Windows (samba).Now I want to add address-books and manage the access rights.

I have a problem with the usage of groups in an access control. I wantto gave addressbooks in my LDAP but they should not be accessible byeverybody. I used http://www.openldap.org/faq/data/cache/52.html toconfigure openLDAP but it does not seem to work. I have created a grouplike this:


dn: cn=abk-admin,ou=Roles,dc=example,dc=com
objectClass: groupOfNames
member: cn=My ENTRY,ou=People,dc=example,dc=com
cn: abk-admin

 and an address-book like this:

dn: ou=abk1,ou=Addressbooks,dc=example,dc=com
ou: abk1
objectClass: organizationalUnit
objectClass: top

(Both entries are output of slapcat. I did not put in the attributeslike creatorsName and entryUUID)


In the slapd:conf I have the following access rules:

access toattrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet

        by dn="cn=admin,dc=example,dc=com" write
        by dn="cn=proxyuser,dc=example,dc=com" read
        by anonymous auth
        by self write
        by * none

access to attrs=shadowLastChange,shadowMax
        by self write
        by * read

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read

access to dn.children="ou=abk1,ou=Addressbooks,dc=example,dc=com"
        by dn="cn=admin,dc=example,dc=com" write
        by groupOfNames="cn=abk-admin,ou=Roles,dc=example,dc=com" write
        by groupOfNames="cn=abk-user,ou=Roles,dc=example,dc=com" read
        by * none

I searched around and changed dn.children by dn.subtree and dn.one butthe result is the same. I can read the entries but I cannot insert ordelete an entry. I can only do this with admin but only if the line foradmin is defined. What did I do wrong or understood wrong? I tried tofind the answer on the internet but was not able :(


OpenLDAP: slapd 2.4.23 (Jun 16 2011 02:53:39)
Debian 6.0.6

Regards,

Marco

Follow-Ups:
- Re: Usage of groups in an access control
  - From: Michael Ströder <michael@stroeder.com>
- Re: Usage of groups in an access control
  - From: Markus Widmer <markus.widmer@daasi.de>
- Re: Usage of groups in an access control
  - From: harry.jede@arcor.de

Prev by Date: Re: missing entry in slapcat backup
Next by Date: Re: Usage of groups in an access control
Index(es):
- Chronological
- Thread