[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Open LDAP ACL and Group
- To: openldap-technical@openldap.org
- Subject: Open LDAP ACL and Group
- From: Dysan 67 <dysan67@gmail.com>
- Date: Fri, 7 Jun 2013 16:06:55 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=iRs8QaxMdD6+9cL3IX9ThVHXoxeLacMBkngDg835wjY=; b=gCkCjYPOPDemT7B8pI/VmTt/PpI1mC67gYq+ErjIhUACPHsC+Aw+5ZpuXzD97iMVqO 839esxcIgbm5rbYTSazt3y0JeyrCvOjQJxueuiBFK9fjx7WCqe2UaoEigkdOPedvU2jc 32t76BIAUiIl9ay9zlI8PQDog3VR5kWpbOJSq+mjU+1tfoz48q9/e+aLUIx0evoZ8uak 2NDa+QH1JI2ZQKk3r2OqGZKr2kbDh7a41gT91dtcCd3Qn1PvjE3CMFPZ5FmI8LnBlRU5 EGYCWanQLfqpOStxtdx66uZ35BTCLgap7yO4YuD38FaP5yRRASwIAZO8l8EtFXbfKQus 4glA==
Hello,
I have a problem with acl and group.
I configured a proxy slapd and add acl (see slapd.conf below)
When I run a ldapsearch command with user 'Test User' the attributes are displayed. It's Ok
But when I run the same ldapsearch command with user 'Synchro1 User' the message 'Insufficient access (50)' are displayed. It's not ok
The user 'Synchro1 User' is member of CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch
Are you an idea ?
Thank you for you help
Dysan
My environment
---------------------
ldapproxy server is CentOS release 5.9 (Final) openldap version 2.3.43
dc1-test Windows Server 2008 R2 (Domain Controler)
Ldapsearch command
-------------------
$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:636 -D "CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" -W -b "dc=activedir,dc=example,dc=ch" -s sub cn=*
Enter LDAP Password:
dn: ........
...
$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:636 -D "CN=Synchro1 User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" -W -b "dc=activedir,dc=example,dc=ch" -s sub cn=*
Enter LDAP Password:
Insufficient access (50)
slapd.conf
----------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:-SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacerts.crt
TLSCertificateFile /etc/openldap/cacerts/ldapproxy.example.ch.crt
TLSCertificateKeyFile /etc/openldap/cacerts/ldapproxy.example.ch.key
loglevel -1
disallow bind_anon
# AD
database ldap
suffix "dc=activedir,dc=example,dc=ch"
uri "ldaps://dc1-test.example.ch/"
readonly on
rebind-as-user
lastmod off
access to attrs=displayname,sn,givenname,mail,telephoneNumber
by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" read
by group.exact="CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch" read
by * none
# The users must see the entry itself
access to attrs=entry
by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" read
by group.exact="CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch" read
by * none
# Other attributes, others users have no access
access to *
by * none
#---------------------------------------------------------------------------------------------------------------
slapd.conf end