Re: Access control

[Dieter Kluenter <dieter@dkluenter.de>]

Am Sun, 30 Jan 2011 23:36:13 +0100
schrieb Thomas Schweikle <tps@vr-web.de>:

> Hi!
> 
> I am trying to set up access control for an OpenLDAP server. I'd
> like to use a Group to set up users allowed to access and write to
> entries inside my tree:
> 
> I've created the group:
> dn: cn=administrators,dc=example,dc=com
> cn: administrators
> objectclass: groupOfNames  (important for the group acl feature)
> member: cn=user1,ou=Users,dc=example,dc=com
> member: cn=user2,ou=Users,dc=example,dc=com
> 
> in
> dn: olcDatabase=hdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: hdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=example,dc=com
> olcRootDN: cn=adm,dc=example,dc=com
> olcRootPW: ${admpw}
> olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey
>   by group.exact="cn=administrators,dc=example,dc=com" write
>   by dn="cn=adm,dc=example,dc=com" write
>   by anonymous auth
>   by self write
>   by * none
> olcAccess: to dn.base=""
>   by * read
> olcAccess: to *
>   by group.exact="cn=administrators,dc=example,dc=com" write
>   by dn="cn=adm,dc=example,dc=com" write
>   by * read
> 
> Now trying to access "userPassword" from any user inside the tree
> "ou=Users,dc=example,dc=com".
> 1. The password field is empty -- it should hold a value
> 2. Entering a value, then pressing apply: "Error modifying
> 'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
> 
> I'd expected to have access to "userPassword" and I am allowed to
> write this value. Why does it not work if I log in with user1?
> 
http://www.openldap.org/faq/data/cache/189.html
http://www.openldap.org/faq/data/cache/52.html

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E