[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question

Hello Ferenc,

Thank you for the answer. This is even more confusing.
I am going to slightly rephrase what you were suggesting, only to
confirm that I understood you. I am not at all sure I did

I have an OpenLDAP server with multiple databases: a config database -
{0)config,cn=config plus several for DITs {1}hdb,cn=config and also
{2}hdb,cn=config ... {n}hdb,cn=config

Are you saying that I could pick an administrator associated with
database X [last say 2] for some domain dc=example,dc=com and give
this user identified by DN: cn=admin,dc=example,com rights to manage
records in all DITs?
Basically, something like "$ldapdelete -x -D
cn=admin,dc=example,dc=com -W cn=john,dc=directory,dc=com" would
successfully delete an entry from a DIT with index Y [say 1].

I apologize for asking these questions, but I have been given a lot of
advice some of which was aimed to solve other problems. Apparently, my
ability to clearly explain what I need is not much better than the
ability to comprehend OpenLDAP docs.


Igor Shmukler

On Fri, Mar 20, 2015 at 10:19 AM, Ferenc Wagner <wferi@niif.hu> wrote:
> Igor Shmukler <igor.shmukler@gmail.com> writes:
>> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
>>  s auth by dn="cn=admin,dc=ldap,dc=com" write by dn="cn=config" wri
>>  te by * none
>> olcAccess: {1}to dn.base="" by * read
>> olcAccess: {2}to * by self write by dn="cn=admin,dc=ldap,dc=com" wr
>>  ite by * read
> OK, I think I understand your problem now.  As Brendan mentioned,
> cn=config is not a user object, you can't set a userPassword on it.
> It's still possible to bind to it, because it's your RootDN, and RootPW
> is set.  But this will give it access to its own database only, and skip
> ACL processing anyway.  So the idea I gave you is good, but you have to
> use a normal user object with userPassword instead of cn=config.  You
> can't create such an object in the config database, but anything else
> goes; let's say its cn=root,dc=example,dc=com.  Use this in your ACLs
> for each database (cn=config included, if you want):
> olcAccess: {0}to * by dn.base=cn=root,dc=example,dc=com manage
> [...]
> and you should be set.  So to correct my answer to your original
> question: what you want (use cn=config with simple bind to manage all
> your databases) is not possible.  Using any normal user object instead
> of cn=config should work, though.  At least according to my limited
> understanding.  Sorry for mistaking this earlier.
> --
> Regards,
> Feri.