[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access control
Am 31.01.2011 08:29, schrieb Dieter Kluenter:
> Am Sun, 30 Jan 2011 23:36:13 +0100
> schrieb Thomas Schweikle <tps@vr-web.de>:
>
>> Hi!
>>
>> I am trying to set up access control for an OpenLDAP server. I'd
>> like to use a Group to set up users allowed to access and write to
>> entries inside my tree:
>>
>> I've created the group:
>> dn: cn=administrators,dc=example,dc=com
>> cn: administrators
>> objectclass: groupOfNames (important for the group acl feature)
>> member: cn=user1,ou=Users,dc=example,dc=com
>> member: cn=user2,ou=Users,dc=example,dc=com
>>
>> in
>> dn: olcDatabase=hdb,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcHdbConfig
>> olcDatabase: hdb
>> olcDbDirectory: /var/lib/ldap
>> olcSuffix: dc=example,dc=com
>> olcRootDN: cn=adm,dc=example,dc=com
>> olcRootPW: ${admpw}
>> olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey
>> by group.exact="cn=administrators,dc=example,dc=com" write
>> by dn="cn=adm,dc=example,dc=com" write
>> by anonymous auth
>> by self write
>> by * none
>> olcAccess: to dn.base=""
>> by * read
>> olcAccess: to *
>> by group.exact="cn=administrators,dc=example,dc=com" write
>> by dn="cn=adm,dc=example,dc=com" write
>> by * read
>>
>> Now trying to access "userPassword" from any user inside the tree
>> "ou=Users,dc=example,dc=com".
>> 1. The password field is empty -- it should hold a value
>> 2. Entering a value, then pressing apply: "Error modifying
>> 'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
>>
>> I'd expected to have access to "userPassword" and I am allowed to
>> write this value. Why does it not work if I log in with user1?
>>
> http://www.openldap.org/faq/data/cache/189.html
Had found this, read it, but got no additional information out of
it. I'd like to have access to the database for some people only.
Mainly to reset passwords. I've tried. It did not work. I'd read the
chapters in the admin manual. Didn't help. I am asking the list ---
and I am redirected to these, already known documents. Doesn't help
either.
> http://www.openldap.org/faq/data/cache/52.html
I've found this, read it, modified it to match my data, imported it.
And noticed it not changing anything. AFAIK i shall have access to
change the password of existing users. In reality I do not even have
access to read the password???
At the moment I am having:
olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey
by dn="cn=adm,dc=example,dc=com" write
by group.exact="cn=administrators,dc=example,dc=com" write
by anonymous auth
by self write
by * none
cn=adm,dc=example,dc=com has write access to attributes,
Members of group cn=administrators,dc=example,dc=com have write
access, the one who is authenticated his cn has write access.
Anonymous users can authenticate.
All authenticated users may read.
All non authenticated users do not have any access at all.
olcAccess: {1}to dn.base=""
by * read
Anyone may read the tree from dn.base on.
olcAccess: {2}to *
by dn="cn=adm,dc=example,dc=com" write
by group.exact="cn=administrators,dc=example,dc=com" write
by * read
cn=adm,dc=example,dc=com has write access, as have members of the
group cn=administrators,dc=example,dc=com.
All others have read access.
Seems this interpretation is wrong. How do I have to interpret it
the correct way?
--
Thomas