[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question

To: Igor Shmukler <igor.shmukler@gmail.com>, openldap-technical openldap org <openldap-technical@openldap.org>
Subject: Re: OpenLDAP permissions question
From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>
Date: Fri, 20 Mar 2015 11:50:12 +0100
In-reply-to: <CAA1SNA2x3WYDhYTAjxyO5mVsxk9nfh-+Hr6=HOrLVicm9qrz8Q@mail.gmail.com>
References: <CAA1SNA35_XD61coDn73c+qqSk7=LrpfZs7HqT0oxDG3s3b8TZw@mail.gmail.com> <20150319211315.2165743c@pink.avci.de> <CAA1SNA0KAdgDQHP7myB6bW4awa1OAM3z1u2DcVrZEw62GT3BFA@mail.gmail.com> <20150319204234.GI3930@dan.olp.net> <CAA1SNA1tKprXQ4gKO08_kpBrOGV1h0iiQ3hqaqKhiTVaUTimnA@mail.gmail.com> <20150319211654.GJ3930@dan.olp.net> <CAA1SNA14q2qyqQvqTt8JCOmMK6BGhH3UQy0zpvMood7ZW9+V5g@mail.gmail.com> <1426810025.2281.10.camel@desktop.bpk2.com> <CAA1SNA3wLMu9aU9PYmskGKGmuFF1jZFz0Mr8OvZZfHzmCWPrDQ@mail.gmail.com> <CAA1SNA2ny2hxkBJcbMmpBMxf+xV2xaWEE68TdtAPS0ACUYacCA@mail.gmail.com> <550BEE39.3090308@ofd-z.niedersachsen.de> <CAA1SNA2x3WYDhYTAjxyO5mVsxk9nfh-+Hr6=HOrLVicm9qrz8Q@mail.gmail.com>
User-agent: Thunderbird 2.0.0.24 (Windows/20100228)

Igor,

Igor Shmukler schrieb (20.03.2015 11:21 Uhr):

Unfortunately, your email does not clear anything, FOR ME. It does not
mean you are not 100% correct. I am just slow, I guess. Sorry.

do simple things first! Do more complex things later!

- Configure a rootdn with rootpw for each database. Use this to
  authenticate to slapd und modify things.
  This works? Fine, go on.
- Create a user entry inside your DIT.
  Use this entry as rootdn.
  This works? Fine, go on.
- Map this user entry from your local unix user with olcAuthzRegexp
  to use with ldapi and EXTERNAL.
  This works? Fine, go on.
- or make your first steps with ACLs and another user entry.

I don't see why/how Michael's suggestion with olcAuthzRegexp could
work. The way that could have worked - multiple remaps, different for
each database is not allowed.

Read again what Michael said:
"authz-regexp is a global configuration option."

The one permitted - inside config
database, as far as I understand, does not do what I need.

Do you need multiple mappings?

As you are one user on your system, this maps to one user in ldap witholcAuthzRegexp.

As Micheal already posted:

authz-regexp
  "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
    "cn=root,dc=example,dc=com"

uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com.

Marc

Follow-Ups:
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>

References:
- OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>

Prev by Date: Re: back-meta: dependency on ldap.conf
Next by Date: Re: OpenLDAP permissions question
Index(es):
- Chronological
- Thread