[Date Prev][Date Next] [Chronological] [Thread] [Top]

Trying to get ACLs to work ...

To: openldap-technical@openldap.org
Subject: Trying to get ACLs to work ...
From: Philip Colmer <philip.colmer@linaro.org>
Date: Tue, 8 Jul 2014 13:57:43 +0100

We have a setup whereby a group of users are able to create accounts
in specific OUs. This is handled by ACLs like this one:

add: olcAccess
olcAccess: to dn.exact="ou=team1,ou=accounts,dc=example,dc=org"
attrs=children by
group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org"
write by users read by * none
-
add: olcAccess
olcAccess: to dn.sub="ou=team1,ou=accounts,dc=example,dc=org"
attrs=entry by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org"
write by users read by * none
-

I've been asked if the people who create those accounts can edit the
passwords after the accounts have been created. I tried to do that by
changing the second access line to read:

add: olcAccess
olcAccess: to dn.sub="ou=team1,ou=accounts,dc=example,dc=org"
attrs=entry,userPassword,shadowLastChange by
group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org"
write by users read by * none
-

Now, my problem is that this is clashing with the rule that we have
for authentication:

# Allow LDAP admin and the account concerned to modify their password,
anonymous to authenticate.
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=example,dc=org" write by anonymous auth by self write
by * none

Initially, that rule as the first of the olcAccess rules. I thought in
advance that that was going to block the writes to userPassword &
shadowLastChange in subsequent rules, so I moved it to after the rules
that covered creating those accounts.

Authentication then broke :-(

I can't just add

by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org"
write

to the primary olcAccess rule because that will allow members of
"account-mgrs-non-staff" to change the password on ANY account, which
I cannot allow. It must only be to specific OUs.

How do I fix this clash between the rules, please?

Thanks.

Philip

Prev by Date: sizelimit issue in openldap + lmdb environment
Next by Date: Adding and attribute and editing a matchingRuleUse in the subschema
Index(es):
- Chronological
- Thread