[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP permissions question
Hello Michael,
Thank you for additional information.
I tried to do remapping inside a DIT database. Wrote the tiny snippet below:
$ cat set_config_regexp.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: {0}"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=admin,dc=directory,dc=com"
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_regexp.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
ldap_modify: Object class violation (65)
additional info: attribute 'olcAuthzRegexp' not allowed
I obviously do not know whether something is wrong with my syntax, or
whether messed-up syntax could produce the above error. Seems more
like than a syntax problem.
It appears to me that remapping anything for
olcDatabase={0}config,cn=config would not help me either. I have
multiple DITs each managed by a separate RootDN.
What am I doing wrong?
Sincerely,
Igor Shmukler
On Fri, Mar 20, 2015 at 9:47 AM, Michael Ströder <michael@stroeder.com> wrote:
> Igor Shmukler wrote:
>>
>> Seems to me that not many know how to write ACLs for OpenLDAP.
>
>
> It's not that hard for your case.
>
> See relevant building blocks from
>
> https://build.opensuse.org/package/view_file/home:stroeder:branches:network:ldap/openldap2/slapd.conf.example?expand=1
>
> attached below.
>
> As user root you can then write cn=config and dc=example,dc=com and
> initialize the data. The group cn=slapd admins,ou=groups,dc=example,dc=com
> can read cn=config and manage dc=example,dc=com.
>
> You alter by-clause for cn=config
>
> by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
>
> to let this group also write to cn=config.
>
> I spend some time creating this public example config. There's no way around
> learning a bit more though. You should read and understand the example which
> takes less time than writing so many list postings and wait for detailed
> answers. But please understand I don't have the time to help in every
> detail.
>
> Ciao, Michael.
>
> --------------------- snip ---------------------
>
> [..]
>
> # If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
> # System user root is mapped to the rootdn in database dc=example,dc=com
> # which has also read access on config and monitor databases
> authz-regexp
> "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
> "cn=root,dc=example,dc=com"
>
> [..]
>
> #---------------------------------------------------------------------------
> # cn=config // Configuration database (always first!)
> # see slapd-config(5)
> #---------------------------------------------------------------------------
>
> database config
>
> # Cleartext passwords, especially for the rootdn, should
> # be avoid! See slappasswd(8) and slapd.conf(5) for details.
> # Best thing is not to set rootpw at all!
> # For local config access by root use LDAPI with SASL/EXTERNAL instead
> # (see above).
> #rootpw secret
>
> access to
> dn.subtree="cn=config"
> by dn.exact="cn=root,dc=example,dc=com" manage
> by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
> by * none
>
> [..]
>
> #---------------------------------------------------------------------------
> # dc=example,dc=com // Example MDB database to be used by normal clients
> # see slapd-mdb(5)
> #---------------------------------------------------------------------------
>
> database mdb
>
> suffix "dc=example,dc=com"
>
> [..]
>
> # Catch-all ACL for the rest
> access to
> dn.subtree=dc=example,dc=com
> by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
> by self read
> by users read
> by * auth
>
>