[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

To: openldap-technical@openldap.org
Subject: Re: Access control
From: Thomas Schweikle <tps@vr-web.de>
Date: Mon, 31 Jan 2011 14:17:58 +0100
In-reply-to: <201101311152.15283.harry.jede@arcor.de>
References: <ii4p4u$6tj$1@dough.gmane.org> <201101311152.15283.harry.jede@arcor.de>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; de-DE; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7

Am 31.01.2011 11:52, schrieb harry.jede@arcor.de:
> Thomas Schweikle wrote:
>> Hi!
>>
>> I am trying to set up access control for an OpenLDAP server. I'd
>> like to use a Group to set up users allowed to access and write to
>> entries inside my tree:
>>
>> I've created the group:
>> dn: cn=administrators,dc=example,dc=com
>> cn: administrators
>> objectclass: groupOfNames  (important for the group acl feature)
>> member: cn=user1,ou=Users,dc=example,dc=com
>> member: cn=user2,ou=Users,dc=example,dc=com
>>
>> in
>> dn: olcDatabase=hdb,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcHdbConfig
>> olcDatabase: hdb
>> olcDbDirectory: /var/lib/ldap
>> olcSuffix: dc=example,dc=com
>> olcRootDN: cn=adm,dc=example,dc=com
>> olcRootPW: ${admpw}
>> olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey
>>   by group.exact="cn=administrators,dc=example,dc=com" write
>>   by dn="cn=adm,dc=example,dc=com" write
>>   by anonymous auth
>>   by self write
>>   by * none
>> olcAccess: to dn.base=""
>>   by * read
>> olcAccess: to *
>>   by group.exact="cn=administrators,dc=example,dc=com" write
>>   by dn="cn=adm,dc=example,dc=com" write
>>   by * read
>>
>> Now trying to access "userPassword" from any user inside the tree
>> "ou=Users,dc=example,dc=com".
>> 1. The password field is empty -- it should hold a value
>> 2. Entering a value, then pressing apply: "Error modifying
>> 'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
>>
>> I'd expected to have access to "userPassword" and I am allowed to
>> write this value. Why does it not work if I log in with user1?
> The openldap server is unable to authenticate user1 unless user1 has a 
> valid password. I assume that adm is your admin DN. Try to set an 
> initial password for user1 with the adm account.
> And then verify that a search operation is successfull before trying to 
> write.
user1 has a password and is authenticated via kerberos. This is
working as expected. A ticket is granted. There is no password
within LDAP for this user.

user2 has no kerberos password and is authenticated via ldap. This
is working as expected.

1. I can log in with both users.
2. I can view the database with both users.
3. I can't change password with any of the users, but this
   seems to be a bug introduced by ubuntu and pam configuration.
   Maybe it is a regression, since it has worked for some time
   in the past.
4. How do I set up a group of users to change and reset
   passwords for other users? It is not useful to do it
   - login to the server
   - sudo to root
   - export the user
   - edit the exported ldif to apply changes
   - use ldapmodify to apply the changes made
   This is lot to complicated and error frown. I'd like to
   use gq or something else (not web based) and I'd like to
   have additional users having the right to do it, not
   giving them my rootDN including password. Idealy these
   users would have to be authenticated by kerberos. As this
   would give an encripted connection to the ldap server.

> In your acls you use "dc=example,dc=com" as suffix, but your real suffix 
> is "dc=xompu,dc=de". Isn't it?

Both. One is my staging server, the other the one whom to go into
production if I ever get it running!


-- 
Thomas

References:
- Access control
  - From: Thomas Schweikle <tps@vr-web.de>
- Re: Access control
  - From: harry.jede@arcor.de

Prev by Date: Re: Access control
Next by Date: Re: meta directory backend and rewriting option '|'
Index(es):
- Chronological
- Thread