[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access controls

I still haven't figured out what the warning is for olcAccess:{1}, but I
have figured out my group access problem.

I wanted to use posixGroup/memberUid because I'm using Linux groups so
that made sense. However the members have to be full
dn="uid=mouse0,ou=Users,dc=my,dc=domain" format, hence the need to use
groupofNames/member (which is the default)

The problem left to me now is how I automate the mapping of
posixGroup/MemberUid --> groupofNames/member when I create or change
group memberships (which could happen frequently). I guess I'll have to
make changes to the ldapaddusertogroup script, unless someone here knows
a better way.


P.S. sorry for all the repliess to myself. I tend to talk to myself a
lot. `~`

Darryl Moore wrote:
> Of course my group access rule failed miserably with the following error
> from slapd:
> /etc/ldap/slapd.d: line 1: group "cn=$1,ou=Groups,dc=moores,dc=ca" attr
> "memberUid": inappropriate syntax:; must
> be (DN),
> (NameUID) or a subtype of labeledURI.
> It also gave me a warning for the first rule for user address books
> which I hadn't noticed before:
> /etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the
> ACL scope within backend naming context
> Backend ACL: access to
> dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$"
> 	by dn.base,expand="uid=$1,ou=People,dc=moores,dc=ca" write
> 	by * read
> I have no idea what this means. Guess I'll google it.
> Darryl Moore wrote:
>> Opps my bad, I cut and past the rules wrong
>> olcAccess: {1}to
>> dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
>> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
>> olcAccess: {2}to
>> dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
>> group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca" write by * read
>> cheers,
>> darryl
>> Darryl Moore wrote:
>>> Well with a bunch of reading and even more experimentation I have been
>>> able to set up access to individual users Address Books. with the
>>> following rule:
>>> olcAccess: {1}to
>>> dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
>>> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write b$
>>> I want to set up a seperate address book below various user groups as
>>> well, and give write access only to the members. I think the following
>>> will work.
>>> olcAccess: {2}to
>>> dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
>>> group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca$" write
>>> Two questions.
>>> First do both these rules look reasonable? Are there any glaring
>>> security holes I'm missing? I think I have it right.
>>> Two. Once I have this working I want to be able to set up various users
>>> as administrators to groups. (As you can do with gpasswd/gshadow in
>>> Linux) I looked around a lot, but have not seen anything that appears to
>>> allow you to do this with LDAP. Am I going to need to modify schemas to
>>> do this? <gulp>
>>> Wow, I may be ready for my LPIC3 once I've figured all this out.
>>> cheers,
>>> darryl
>>> Darryl Moore wrote:
>>>> Thanks again, I think I figured it out. I made some edits to the
>>>> olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to
>>>> the database. (It sure does help when you read the right set of
>>>> instructions)