[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question

To: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>
Subject: Re: OpenLDAP permissions question
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Fri, 20 Mar 2015 13:22:01 +0200
Cc: openldap-technical openldap org <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rtTdNmX2M8A+hGRhuuADOIPNZJUFm90DOk8Z5G/IbuE=; b=KrWMF1DiLuIijOYEf7mfaSXybKGWJ5jV60eAdGFWV6dZhbLBo162izddK+1Y0Yj1Ri 9nRL+HzaDyXuk/wdDHz/cqgI/3mCMv3Uog0LEaPNiG+4IJviHnjmDngkRfYg1ojgqEwg 82IpuzDlYQmGRAWHsmAzhK0dO8ukhtj8S6j8ESdsfNz50Ik7SKjQQ6HtbKhPlOPuJITx 9vjVDfPuIWO23aqNQKkwG5+65nawSaGUdXHvA5ryUCUaUIMcxaWJ/3m+1KJX5IU7lOky q1KX4+CUKMs8DnkruqXgW12eXl2L6DUtCVmgwEa1/ukf+7EDizXr8cVoFKkRv3j2ihnu bEkQ==
In-reply-to: <550BFFCD.9090209@ofd-z.niedersachsen.de>
References: <CAA1SNA35_XD61coDn73c+qqSk7=LrpfZs7HqT0oxDG3s3b8TZw@mail.gmail.com> <20150319211315.2165743c@pink.avci.de> <CAA1SNA0KAdgDQHP7myB6bW4awa1OAM3z1u2DcVrZEw62GT3BFA@mail.gmail.com> <20150319204234.GI3930@dan.olp.net> <CAA1SNA1tKprXQ4gKO08_kpBrOGV1h0iiQ3hqaqKhiTVaUTimnA@mail.gmail.com> <20150319211654.GJ3930@dan.olp.net> <CAA1SNA14q2qyqQvqTt8JCOmMK6BGhH3UQy0zpvMood7ZW9+V5g@mail.gmail.com> <1426810025.2281.10.camel@desktop.bpk2.com> <CAA1SNA3wLMu9aU9PYmskGKGmuFF1jZFz0Mr8OvZZfHzmCWPrDQ@mail.gmail.com> <CAA1SNA2ny2hxkBJcbMmpBMxf+xV2xaWEE68TdtAPS0ACUYacCA@mail.gmail.com> <550BEE39.3090308@ofd-z.niedersachsen.de> <CAA1SNA2x3WYDhYTAjxyO5mVsxk9nfh-+Hr6=HOrLVicm9qrz8Q@mail.gmail.com> <550BFB64.4030806@ofd-z.niedersachsen.de> <CAA1SNA3zchpeOsJkNpuwXyxYihf-pATHG94NJ1=7ufBw9HdbMg@mail.gmail.com> <550BFFCD.9090209@ofd-z.niedersachsen.de>

Marc,

Thank you for explanations. I appreciate your time. I also appreciate
people on list have given me, including Michael, Ferenc and others. I
don't even recall everyone's name. I am thinking about giving up,
though.

I even have hard time understanding your messages, let alone OpenLDAP
configuration steps.

I do have entries for each database. If my suffix is, for example
dc=test,dc=org, administrator would be cn=admin,dc=test,dc=org
Administrators have manage access to their databases. This part is
working fine. I add and remove records as needed. You also wrote one
per database - this is exactly what I have.
Unfortunately, despite all the help, I don't see how this is relevant.

The advice to read documentation is great. In fact, i never hurt.

I am happy to offer a bounty to person who can configure this. I need
to keep my setup with one config databases with multiple DITs. I need
each DIT database to work as today - be managed by an authenticated
local/suffix root user. I need a way to alter records in any/every DIT
database using another root - one that would work on ALL DITs.
If someone could do this before Sunday morning, please contact me to
discuss compensation. If I don't get to a result by Sunday morning, I
have to start changing the architecture so I can show something on
Monday. :)

Sincerely,

Igor Shmukler

On Fri, Mar 20, 2015 at 1:09 PM, Marc Patermann
<hans.moser@ofd-z.niedersachsen.de> wrote:
> Igor,
>
> Igor Shmukler schrieb (20.03.2015 11:59 Uhr):
>
>>> - or make your first steps with ACLs and another user entry.
>>
>> What do I do here?
>
> read about ACL in the man pages and the admin guide!?
>
>>> Do you need multiple mappings?
>>
>>
>> I understand that config database would allow me to have unto fifty
>> mapping. I just don't understand those could work for my need.
>>
>>> As you are one user on your system, this maps to one user in ldap with
>>> olcAuthzRegexp.
>>> As Micheal already posted:
>>>
>>> authz-regexp
>>>   "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
>>>     "cn=root,dc=example,dc=com"
>>>
>>> uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com.
>>
>>
>> I don't understand how this COULD work. Please explain why admin in
>> DIT 1 would have manage right to DIT 2.
>
> He don't have to! But he can.
>
> Go back to:
>
> - Configure a rootdn with rootpw for each database. Use this to
>   authenticate to slapd und modify things.
>   This works? Fine, go on.
> - Create a user entry inside your DIT
>   _for every database admin you want_.
>   Use _these entries_ as rootdn (one per database!).
>   This works? Fine, go on.
> - Delete the rootdn from config and make the user entry admin by an ACL.
>
>
> Marc

Follow-Ups:
- Re: OpenLDAP permissions question
  - From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>

References:
- OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>
- Re: OpenLDAP permissions question
  - From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>

Prev by Date: Re: OpenLDAP permissions question
Next by Date: Re: OpenLDAP permissions question
Index(es):
- Chronological
- Thread