[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question



Igor,

Igor Shmukler schrieb (20.03.2015 07:24 Uhr):
Indeed, slapacl(8) shows that I have read only access to DIT entries.
I tried hijacking DIT databases, as in below:

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=ldap,dc=com" write by dn="cn=config" wri
 te by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=ldap,dc=com" wr
 ite by * read

This does not get me what I need.
additional to what Ferenc said:

- you have a data DIT in a database
-- which seems to be under dc=ldap,dc=com in your case
-- you can define a rootdn (user) for the database
--- which is allowed to do anything in the database
--- and bypasses all the ACLs
-- ACLs define who (user entries and groups) can do what with your data
--- ACLs are stored in the configuration
-- the configuration of the database is _not_ inside the database
   itself but in the config

- you have a configuration of slapd
-- which contains the database configuration
--- like the database directory
--- ACLs
--- or the rootdn

- configuration can be in a file (slapd.conf)
  or in a database (cn=config; config backend)
-- slapd.conf is edited in the file, so no need for a ldap user
   to modify it
-- cn=config is a database
--- like in the database for your actual data you have to define
    who can change the config database
--- with a rootdn or by ACL

- a rootdn can be
-- a (non existing) dn in the database
   with the rootpw defined in the config
-- or a dn of a user entry somewhere inside your database
--- with password defined in the entry
--- mapped by authz-regexp (like Michael already explained)

To modify your data, you need a ACL or the rootdn for the database.
To change the rootdn or the ACL you need to change the configuration.
If the configuration is inside the configuration backend, you need to be able to change the database cn=config. So rootdn or ACL for cn=config must exist. If you are using cn=config it would be best you have a full working ldif to import and initialize cn=config with instead of trying to alter cn=config online/by ldapmodify to be able to change it.

I hope this clears things up a bit.

For additional infos see the man pages and the Admin guide.

Marc