[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL

Le 19/03/2010 12:54, Carlo Pradissitto a écrit :

Hi,
my DIT is some like this:

*dc=<base>*
*|__ dc=<domain_1>*
*|     |__ o=<org_1>*
*|     |     |__cn=user_domain1_1*
*|     |     |__cn=user_domain1_2*
*|     |     |__cn=user_domain1_3*
*|     |__ o=<org_2>*
*|           |__cn=user_domain1_3*
*|           |__cn=user_domain1_4*
*|           |__cn=user_domain1_5*
*|__ dc=<domain_2>*
*     |__ o=<org_3>*
*     |     |__cn=user_domain2_1*
*     |     |__cn=user_domain2_2*
*     |     |__cn=user_domain2_3*
*     |__ o=<org_4>*
*           |__cn=user_domain2_3*
*           |__cn=user_domain2_4*
*           |__cn=**user_domain2_5*

I would like to create one administrative account for each domain
(<domain_1> and <domain_2>)

Here is my way:

I create a new branch:

*dc=<base>*
*|__ o=Administrators*
*      |__ou=<domain_1>_Administrators*
*           |__ cn=Administrator1*

then I insert a new directive in slapd.conf

*access to dn.subtree="dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write*

Here the response when I try to connect with <domain_1>Administrators
credentials:

*Error opening connection:*
*[LDAP: error code 49 - Invalid Credentials]*

Here the OpenLDAP's output in debug mode

*daemon: activity on 1 descriptor*
*daemon: activity on: *
*slap_listener_activate(7): *
*daemon: epoll: listen=7 busy *
*>>> slap_listener(ldap://<my_host>:1389)*
*daemon: activity on 1 descriptor *
*daemon: activity on: *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*daemon: listen=7, new connection on 11 *
*daemon: added 11r (active) listener=(nil) *
*daemon: activity on 1 descriptor *
*daemon: activity on: *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*daemon: activity on 1 descriptor *
*daemon: activity on: 11r *
*daemon: read active on 11 *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_get(11): got connid=1000 *
*connection_read(11): checking for input on id=1000*
*ber_get_next *
*ber_get_next: tag 0x30 len 83 contents: *
*op tag 0x60, time 1268990296 *
*ber_get_next*
*daemon: activity on 1 descriptor*
*daemon: activity on:*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*conn=1000 op=0 do_bind*
*ber_scanf fmt ({imt) ber:*
*ber_scanf fmt (m}) ber:*
*>>> dnPrettyNormal:
<cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>>*
*<<< dnPrettyNormal:
<cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>>,
<cn=administrator1,ou=**<domain_1>dministrators,o=administrators,dc=<base>>*
*do_bind: version=3
dn="cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>"
method=128*
*bdb_dn2entry("cn=administrator1,ou=**<domain_1>administrators,o=administrators,dc=<base>")*
*=> bdb_dn2id("dc=<base>")*
*<= bdb_dn2id: got id=0x1*
*=> bdb_dn2id("o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x12*
*=> bdb_dn2id("ou=**<domain_1>administrators,o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x13*
*=>
bdb_dn2id("cn=administrator1,ou=**<domain_1>administrators,o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x14*
*entry_decode:
"cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>"*
*<=
entry_decode(cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>)*
*send_ldap_result: conn=1000 op=0 p=3*
*send_ldap_response: msgid=1 tag=97 err=49*
*ber_flush2: 14 bytes to sd 11*
*daemon: activity on 1 descriptor*
*daemon: activity on: 11r*
*daemon: read active on 11*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_get(11): got connid=1000*
*connection_read(11): checking for input on id=1000*
*ber_get_next*
*ber_get_next on fd 11 failed errno=0 (Success)*
*connection_read(11): input error=-2 id=1000, closing.*
*connection_closing: readying conn=1000 sd=11 for close*
*daemon: activity on 1 descriptor*
*daemon: activity on:*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_close: conn=1000 sd=11*
*daemon: removing 11*

Same result with this policy:
*access to dn.subtree="dc=**<domain_1>,dc=<base>" by * write*

I can access only with this policy:
*access to * by * write*

I compiled opneldap 2.4.21 with default settings

Here my slapd.conf:

*include
/sw/test_domain_openldap-2.4.21/etc/openldap/schema/core.schema*
*include
/sw/test_domain_openldap-2.4.21/etc/openldap/schema/cosine.schema*
*
*
*pidfile         /sw/test_domain_openldap-2.4.21/var/run/slapd.pid*
*argsfile        /sw/test_domain_openldap-2.4.21/var/run/slapd.args*
*
*
*#######################################################################*
*# BDB database definitions*
*#######################################################################*
*
*
*database        bdb*
*suffix "dc=<base>"*
*rootdn "cn=Manager,dc=<base>"*
*rootpw          testdomain*
*directory       /sw/test_domain_openldap-2.4.21/var/openldap-data*
*index   objectClass     eq*
*
*
*access to * by * write*
*#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write*
*#access to dn.subtree="**dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write*

thanks in advance!
Carlo


Hi Carlo,
You need to add an ACL to allow the administrator to BIND (authenticate) to the directory. Try this: 


access to dn.subtree="ou=<domain_1>Administrators,o=Administrators,dc=<base>"
	by anonymous auth



access to dn.subtree="dc=<domain_1>,dc=<base>"
	by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write



--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------