You shouldn't use user1 as binddn in
the application but a dedicated service account.
And you should make sure that everyone is allowed to authenticate.
like so:
LDAP entry:
cn=zabix,ou=applications,dc=prime,dc=ds,dc=geo,dc=com
objectClass:...
...
userPassword: password
Zabix configuration
host: 192.168.1.1
base: ou=People,dc=prime,dc=ds,dc=geo,dc=com
port: 636
uid: uid
bind_dn: cn=zabix,ou=applications,dc=prime,dc=ds,dc=geo,dc=com
password: password
ACL configuration:
access to dn.sub="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
attrs=userPassword
by self write
by * auth
access to dn.sub="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
filter="(allowedService=zabbix)"
attrs=uid,objectClass
by
dn.exact="cn=zabix,ou=applications,dc=prime,dc=ds,dc=geo,dc=com"
read
by self read
Hope this works for you.
Cheers,
Peter
Am 13.05.2013 10:54, schrieb Geo P.C.:
Dear Peter
As per your suggestion In inetOrgPerson I created a
custom attribute called allowedService and now the users list
is as
dn: ou=People,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: uid=user1,ou=People,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
uid: user1
allowedService: zabbix
allowedService: gitlab
dn: uid=user2,ou=People,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
uid: user2
allowedService: gitlab
dn: uid=user3,ou=People,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
uid: user3
allowedService: gitlab
Now we have two applications zabbix and gitlb. For zabbix
user1 need to have access others not. For gitlab three users
should have access.
We have created two organizational units as
dn: ou=zabix,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: organizationalUnit
ou: zabbix
dn: ou=gitlab,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
objectClass: organizationalUnit
ou: gitlab
In zabbix application configured as follows:
host: 192.168.1.1
base: ou=zabix,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com
port: 636
uid: uid
bind_dn: uid=user1,ou=People,dc=prime,dc=ds,dc=geo,dc=com
password: password
In slapd.conf file we added acl as:
access to dn.base="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
filter="(allowedService=zabbix)" attrs=uid,userPassword by
dn.exact="ou=zabix,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com"
read by * break
But with this configuration we are unable to login to zabix
application with user user1.
Can you please help me on it. Let me know I am following the
correct way? Can you please update me the correct steps we
need to done.
Thanks in advance.
Geo
Skype id: geopcgeo
--
Peter Gietz, CEO
DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany
phone: +49 7071 407109-0
fax: +49 7071 407109-9
email: peter.gietz@daasi.de
web: www.daasi.de
Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
|