[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin roles by group membership per OU

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: Admin roles by group membership per OU
From: Ervin Hegedüs <airween@gmail.com>
Date: Thu, 12 Oct 2017 21:50:15 +0200
Cc: Clément OUDOT <clement.oudot@savoirfairelinux.com>, openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=iQ8LNtVWd4z1jIxo8H0Tx4zNxkwFyTvOuGdTKecJpLE=; b=jGXruU2HEyKdC7NLF0zRr4uk3pZoIW+lBOySEvMiinKGWgTQY3/X2tR4Qwh+0yakdP qAht9uK0gMuzZwunvhu96n946v5+9tKChJpA2T1q1kmSI+zbH1ZRpH7tE1QSZ7dPdD5G DX5Dz5ZYhxLvmiQR32R4XeqNvtdh5VqXDvJdSdiDGkbdbDo/fbM+pF8TepJfxiJlc8tM BetAQlM+yx3IQZsDAETCUMsxkDM5c4sv6+ONX4tIdH9kGwXxa3WjA+Tz5OUQb+P1eJc4 RqFseDjNOzTIBOFszB/OnPIVQACJigw3aAW/beUnqctdpdLh99ckLG4pftMbveQI9AF9 JD/g==
In-reply-to: <755C73DF70A5217978F6B6A1@[192.168.1.30]>
References: <20171011153114.GA6037@arxnet.hu> <5411f0bd-bf3d-1a88-650b-8f8e845815df@savoirfairelinux.com> <20171012143945.GA24897@arxnet.hu> <1e3053aa-10c0-2e89-4ecf-78b196480abb@savoirfairelinux.com> <20171012153230.GA26702@arxnet.hu> <WM!3ea8ec7098d14925dc39d957afaad62f207f43d00b4c648f2f5d4f5322d8acfa9261435931a6075dbeba167726dc6c91!@mailstronghold-3.zmailcloud.com> <755C73DF70A5217978F6B6A1@[192.168.1.30]>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi folks,

many-many thanks for your helps,

On Thu, Oct 12, 2017 at 11:06:00AM -0700, Quanah Gibson-Mount wrote:
> --On Thursday, October 12, 2017 6:32 PM +0200 Ervin Hegedüs
> <airween@gmail.com> wrote:
> 
> >rules:
> >
> >olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> >anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none
> >olcAccess: {1}to dn.base="" by * read
> >olcAccess: {2}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by
> >self write by group.exact="cn=groupabcadmin,ou=ABC
> >Customer,dc=core,dc=hdt,dc=hu" write by self write by anonymous auth by
> >dn="uid=repuser,dc=mycompany,dc=hu" read olcAccess: {3}to * by * read
> 
> 
> Your olcAccess: {1} value does not belong in your back-MDB database.  That
> rule goes in the {-1}frontend,cn=config portion of the database as a global
> access rule. 
what does it reveal? This rule comes with the default
installation...

> You probably also want a rule that reads:
> 
> to dn.base="cn=subschema"  by * read

the frontend config is this:

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read

> in the {-1}frontend,cn=config database as well.
> 
> So for your back-mdb database, what one would expect is more something like:
> 
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
> olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self
> write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu"
> write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
> olcAccess: {2}to * by * read

well, at first look it works - many thanks again.

I'll check it all config tomorrow.


Regards,


a.

References:
- Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Admin roles by group membership per OU
Next by Date: Re: Admin roles by group membership per OU
Index(es):
- Chronological
- Thread