[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access controls

To: openldap-technical@openldap.org
Subject: Re: LDAP Access controls
From: Darryl Moore <darryl@moores.ca>
Date: Thu, 09 Jul 2009 14:59:45 -0400
In-reply-to: <4A5639C6.8000602@moores.ca>
References: <4A53660F.9040300@moores.ca> <4A53B8D5.8050406@phillipoux.net> <4A549E19.1020503@moores.ca> <4A563907.9040606@moores.ca> <4A5639C6.8000602@moores.ca>
User-agent: Thunderbird 2.0.0.22 (X11/20090608)

Of course my group access rule failed miserably with the following error
from slapd:

/etc/ldap/slapd.d: line 1: group "cn=$1,ou=Groups,dc=moores,dc=ca" attr
"memberUid": inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26; must
be 1.3.6.1.4.1.1466.115.121.1.12 (DN), 1.3.6.1.4.1.1466.115.121.1.34
(NameUID) or a subtype of labeledURI.


It also gave me a warning for the first rule for user address books
which I hadn't noticed before:

/etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the
ACL scope within backend naming context
Backend ACL: access to
dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$"
	by dn.base,expand="uid=$1,ou=People,dc=moores,dc=ca" write
	by * read

I have no idea what this means. Guess I'll google it.


Darryl Moore wrote:
> Opps my bad, I cut and past the rules wrong
> 
> olcAccess: {1}to
> dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
> 
> 
> 
> olcAccess: {2}to
> dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca" write by * read
> 
> 
> cheers,
> darryl
> 
> Darryl Moore wrote:
>> Well with a bunch of reading and even more experimentation I have been
>> able to set up access to individual users Address Books. with the
>> following rule:
>>
>> olcAccess: {1}to
>> dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
>> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write b$
>>
>> I want to set up a seperate address book below various user groups as
>> well, and give write access only to the members. I think the following
>> will work.
>>
>> olcAccess: {2}to
>> dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
>> group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca$" write
>>
>> Two questions.
>>
>> First do both these rules look reasonable? Are there any glaring
>> security holes I'm missing? I think I have it right.
>>
>> Two. Once I have this working I want to be able to set up various users
>> as administrators to groups. (As you can do with gpasswd/gshadow in
>> Linux) I looked around a lot, but have not seen anything that appears to
>> allow you to do this with LDAP. Am I going to need to modify schemas to
>> do this? <gulp>
>>
>> Wow, I may be ready for my LPIC3 once I've figured all this out.
>>
>> cheers,
>> darryl
>>
>> Darryl Moore wrote:
>>> Thanks again, I think I figured it out. I made some edits to the
>>> olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to
>>> the database. (It sure does help when you read the right set of
>>> instructions)
>>>

Follow-Ups:
- Re: LDAP Access controls
  - From: Darryl Moore <darryl@moores.ca>

References:
- LDAP Access controls
  - From: Darryl Moore <darryl@moores.ca>
- Re: LDAP Access controls
  - From: Jonathan Clarke <jonathan@phillipoux.net>
- Re: LDAP Access controls
  - From: Darryl Moore <darryl@moores.ca>
- Re: LDAP Access controls
  - From: Darryl Moore <darryl@moores.ca>
- Re: LDAP Access controls
  - From: Darryl Moore <darryl@moores.ca>

Prev by Date: Re: LDAP Access controls
Next by Date: Re: LDAP Access controls
Index(es):
- Chronological
- Thread