[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Admin roles by group membership per OU
- To: openldap-technical@openldap.org
- Subject: Admin roles by group membership per OU
- From: Ervin Hegedüs <airween@gmail.com>
- Date: Wed, 11 Oct 2017 17:31:14 +0200
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=Pt9pABZK9KtIpaNnPIuhQ4dHwIE6AhZBYCyHnvckrRw=; b=e4XWJzZHrksWXMtlXIPVUZXa0FeoPO6RcgCOvUkwyxO1vcXpGZSumjtpvv6Gv8MJZz p9/A37qPlhJtMpZVNk/w6VhSmzTMCUH7ZG7FSr9dHo5jl1D3Ip+ApEvdeIL7pgJVr5GT aCAKHRfojxGwrtMEgznGq3ngafRVIYSyIl3y/FetSU/cz9WjX/6wWeaAKm3IBs9ab3xd qoaxN/86fswrtsd0KRG0oivL08kFAKfiocfYhiWBHmfLVqyADAu/Q5c6ZqpetA7GX8bk pduCAUT45NsgTHYOXTpuWUCkIHztAyMdd2W5reRGY/xAcWd48sj0BvmTEl5HGWEqj/r/ ntCw==
- User-agent: Mutt/1.5.24 (2015-08-30)
Hi,
here is my scenario:
dn: dc=mycompany,dc=hu
dn: ou=ABC Customer,dc=mycompany,dc=hu
+- dn: cn=group1abc,ou=ABC Customer,dc=mycompany,dc=hu
+- dn: cn=group2abc,ou=ABC Customer,dc=mycompany,dc=hu
+- dn: cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu
+- dn: uid=user1,ou=ABC Customer,dc=mycompany,dc=hu
+- dn: uid=user2,ou=ABC Customer,dc=mycompany,dc=hu
dn: ou=XYZ Customer,dc=mycompany,dc=hu
+- dn: cn=group1xyz,ou=XYZ Customer,dc=mycompany,dc=hu
+- dn: cn=group2xyz,ou=XYZ Customer,dc=mycompany,dc=hu
+- dn: uid=user1,ou=XYZ Customer,dc=mycompany,dc=hu
+- dn: uid=user2,ou=XYZ Customer,dc=mycompany,dc=hu
...
the cn=groupabcadmin,ou=ABC Customer node above looks like this:
dn: cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu
objectClass: groupOfNames
cn: groupabcadmin
member: uid=user1,ou=ABC Customer,dc=mycompany,dc=hu
I'ld like to set up, that the all member of cn=groupabcadmin
group, now the "uid=user1,ou=ABC Customer",... user can write
the db (add, modify, delete) under his own OU, specially the
ou=ABC Customer,dc=mycompany,dc=hu.
I've found this example:
http://www.openldap.org/faq/data/cache/52.html
Now the config looks like this:
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mycompany,dc=hu
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth
olcLastMod: TRUE
The uid=user1 user password is right, I can read with it from DB.
But when I would like to add a new user, I've got:
ldap_add: Insufficient access (50)
additional info: no write access to parent
and in log:
Oct 11 17:03:16 open-ldap slapd[25821]: mdb_dn2entry("uid=user2,ou=abc customer,dc=mycompany,dc=hu")
Oct 11 17:03:16 open-ldap slapd[25821]: => mdb_dn2id("uid=user2,ou=abc customer,dc=mycompany,dc=hu")
Oct 11 17:03:16 open-ldap slapd[25821]: <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798)
Oct 11 17:03:16 open-ldap slapd[25821]: => mdb_entry_decode:
Oct 11 17:03:16 open-ldap slapd[25821]: <= mdb_entry_decode
Oct 11 17:03:16 open-ldap slapd[25821]: => access_allowed: add access to "ou=ABC Customer,dc=mycompany,dc=hu" "children" requested
Oct 11 17:03:16 open-ldap slapd[25821]: => dn: [2]
Oct 11 17:03:16 open-ldap slapd[25821]: => acl_get: [3] attr children
Oct 11 17:03:16 open-ldap slapd[25821]: => acl_mask: access to entry "ou=ABC Customer,dc=mycompany,dc=hu", attr "children" requested
Oct 11 17:03:16 open-ldap slapd[25821]: => acl_mask: to all values by "uid=user1,ou=abc customer,dc=mycompany,dc=hu", (=0)
Oct 11 17:03:16 open-ldap slapd[25821]: <= check a_dn_pat: *
Oct 11 17:03:16 open-ldap slapd[25821]: <= acl_mask: [1] applying read(=rscxd) (stop)
Oct 11 17:03:16 open-ldap slapd[25821]: <= acl_mask: [1] mask: read(=rscxd)
Oct 11 17:03:16 open-ldap slapd[25821]: => slap_access_allowed: add access denied by read(=rscxd)
Oct 11 17:03:16 open-ldap slapd[25821]: => access_allowed: no more rules
Oct 11 17:03:16 open-ldap slapd[25821]: mdb_add: no write access to parent
Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_result: conn=1208 op=1 p=3
Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_result: err=50 matched="" text="no write access to parent"
Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_response: msgid=2 tag=105 err=50
Oct 11 17:03:16 open-ldap slapd[25821]: conn=1208 op=1 RESULT tag=105 err=50 text=no write access to parent
What do I miss?
Thanks,
a.