Igor Shmukler wrote:
Seems to me that not many know how to write ACLs for OpenLDAP.
It's not that hard for your case. See relevant building blocks fromhttps://build.opensuse.org/package/view_file/home:stroeder:branches:network:ldap/openldap2/slapd.conf.example?expand=1
attached below.As user root you can then write cn=config and dc=example,dc=com and initialize the data. The group cn=slapd admins,ou=groups,dc=example,dc=com can read cn=config and manage dc=example,dc=com.
You alter by-clause for cn=config by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage to let this group also write to cn=config.I spend some time creating this public example config. There's no way around learning a bit more though. You should read and understand the example which takes less time than writing so many list postings and wait for detailed answers. But please understand I don't have the time to help in every detail.
Ciao, Michael.
--------------------- snip ---------------------
[..]
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
# System user root is mapped to the rootdn in database dc=example,dc=com
# which has also read access on config and monitor databases
authz-regexp
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
[..]
#---------------------------------------------------------------------------
# cn=config // Configuration database (always first!)
# see slapd-config(5)
#---------------------------------------------------------------------------
database config
# Cleartext passwords, especially for the rootdn, should
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
# For local config access by root use LDAPI with SASL/EXTERNAL instead
# (see above).
#rootpw secret
access to
dn.subtree="cn=config"
by dn.exact="cn=root,dc=example,dc=com" manage
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
by * none
[..]
#---------------------------------------------------------------------------
# dc=example,dc=com // Example MDB database to be used by normal clients
# see slapd-mdb(5)
#---------------------------------------------------------------------------
database mdb
suffix "dc=example,dc=com"
[..]
# Catch-all ACL for the rest
access to
dn.subtree=dc=example,dc=com
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
by self read
by users read
by * auth
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature