[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACLs

To: Quanah Gibson-Mount <quanah@symas.com>, openldap-technical@openldap.org
Subject: Re: Problem with ACLs
From: Bill Bradford <mrbill@mrbill.net>
Date: Fri, 31 Aug 2018 12:59:55 -0500
Content-disposition: inline
In-reply-to: <E009113EDD4EB6618A1655B1@[192.168.1.10]>
References: <20180830191722.GW12349@mrbill.net> <E009113EDD4EB6618A1655B1@[192.168.1.10]>
User-agent: Mutt/1.9.3 (2018-01-21)

On Fri, Aug 31, 2018 at 08:23:37AM -0700, Quanah Gibson-Mount wrote:

--On Thursday, August 30, 2018 3:17 PM -0500 Bill Bradford<mrbill@mrbill.net> wrote:
 by dn="cn=Manager,dc=domain,dc=com" write
This should also be dn.exact


I'll fix that.  but this user (rootDN) has the required privs and
already works fine so far for a couple of years now.

 by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read

Are you sure this is the DN returned by ldapwhoami?


I'm not logging in to a Linux box as this user; I'm using this DN as
credentials (in Apache Directory Studio, ldapsearch, etc) and connecting
just fine - just not with the ability to read other user's passwords.

Past that, I'd suggest you test with slapacl and potentially ACL leveldebugging.

See reply I just sent to Jason about slapacl not behaving.

Thanks.  I hope to be able to hammer this out today.  My end result is
to have a user with all the privs of the RootDN, but as "read-only" and
without the ability to make any changes - so that we don't have to give
out the RootDN and password to apps that want to authenticate against LDAP.

Bill

--
Bill Bradford
Houston, Texas USA

Follow-Ups:
- Re: Problem with ACLs
  - From: Quanah Gibson-Mount <quanah@symas.com>

References:
- Problem with ACLs
  - From: Bill Bradford <mrbill@mrbill.net>
- Re: Problem with ACLs
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: RE: Problem with ACLs
Next by Date: Re: Problem with ACLs
Index(es):
- Chronological
- Thread