[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: learning olcAccess

To: Lists Nethead <lists@nethead.se>, openldap-technical@openldap.org
Subject: Re: learning olcAccess
From: Sven Mäder <maeder@phys.ethz.ch>
Date: Mon, 19 Mar 2018 09:54:00 +0100
Content-language: en-US
In-reply-to: <20180318165432.Horde.44FDLKmoCSbkvLe8K2rjW-F@webmail.nethead.se>
References: <20180318165432.Horde.44FDLKmoCSbkvLe8K2rjW-F@webmail.nethead.se>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0

Hi

You could insert something like this:

to dn.exact="ou=somedomain,dc=example,dc=com"
  attrs=children
  by group="cn=admingroup,ou=ldap,dc=example,dc=com" write stop
  by * break
to dn.children="ou=somedomain,dc=example,dc=com"
  attrs=@inetOrgPerson,@organizationalUnit,@posixAccount,
 @shadowAccount,entry
  by group="cn=admingroup,ou=ldap,dc=example,dc=com" write stop
  by * break

This will grant administrative rights by the specified group to:

- the "children" attr of the entry: ou=somedomain,dc=example,dc=com
- all attrs of children of: ou=somedomain,dc=example,dc=com in the
  specified objectClasses plus the entries itself
- all other users/groups will continue with ACL evaluation (by * break)

This will prevent modifying the entry: ou=somedomain,dc=example,dc=com
If you do not need that, replace the two ACLs with:

to dn.subtree=ou=somedomain,dc=example,dc=com"
...

But you have to add these ACLs before the rule with:
to attrs=userPassword ...
otherwise if you add it at the end, the "by * none" will prevent all
access.

ou=ldap is just an ou that contains my slapd admin groups, for example:

dn: ou=ldap,dc=example,dc=com
objectClass: organizationalUnit
ou: ldap

dn: cn=admingroup,ou=ldap,dc=example,dc=com
objectClass: groupOfNames
member: uid=someuser,ou=somedomain,dc=example,dc=com
cn: admingroup

Hope that helps a bit with the bleeding :)
And carefully test your ACLs, I had to do a lot of try and error to
get it right.

Kind regards
Sven

On 03/18/2018 04:54 PM, Lists Nethead wrote:

Hi all,

First post here, and it is asking for advice on an access rule. Setup is,

+-dc=example,dc=com
+--ou=somedomain
+---uid=someuser,ou=somedomain,dc=example,dc=com
+--ou=someotherdomain
+---uid=otheruser,ou=someotherdomain,dc=example,dc=com
+--ou=yetanotherdomain

The ruleset so far that seems to work is

to dn.base="" by * read
to dn.base="cn=subschema" by * read
to attrs=userPassword by dn.base="cn=admin,dc=example,dc=com"
write by dn.base="uid=otheradmin,ou=System,dc=example,dc=com" writeby self
   write by anonymous auth  by * none
to *  by dn.base="uid=someadmin,ou=System,dc=example,dc=com" w
  rite by self read  by peername.ip=<address>%255.255.255.0 read by peern
  ame.ip=<address>%255.255.255.0 read by peername.ip=<address>%255.255.2
  55.0 read by users tls_ssf=256 read  by * none
What I want next is that "uid=someuser,ou=somedomain,dc=example,dc=com"should be able to administer accounts in "ou=somedomain" and likewisefor other "ou=".
My guess is that a group with admin accounts is the way to go but rightnow my eyes are bleeding after reading the whole day about access rules...
Thanks,

//per


--
Sven Mäder <maeder@phys.ethz.ch>
Support: +41 44 633 2668   Voice: +41 44 633 7661
IT Services Group, HPT H 6
Physics Department, ETH Zurich
CH-8093 Zurich, Switzerland

References:
- learning olcAccess
  - From: Lists Nethead <lists@nethead.se>

Prev by Date: Re[2]: Missing contextCSN on ldap cluster
Next by Date: Re: Antw: Mirror mode not working with other user accounts
Index(es):
- Chronological
- Thread