[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question

To: Ferenc Wagner <wferi@niif.hu>
Subject: Re: OpenLDAP permissions question
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Fri, 20 Mar 2015 10:29:21 +0200
Cc: Dieter Klünter <dieter@dkluenter.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>, Dan White <dwhite@cafedemocracy.org>, Brendan Kearney <bpk678@gmail.com>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=EM4T9Ezqg6oGAWyi/jhLwKV9cTEI8bwYHpfAVQ1Q7dM=; b=dsk8tN06rodzjkSE5BPG/XHBtOUh0NchMD9AdNxke0rJVw8WbgANaQgv+9Kr/fS4gi 8sKhNQTO8s2irr+cHhFNCOhb9NsFhA6xw0wJ4dW7Es5ZdlRCdR61lf3kTFOOcr1t9ZzJ MxrvTh8xqhviZ1FiJotPjAzvwf+X3+6ZEox4K1mcFXqX289omIxSDkSsvIVBbIpl8g1N 87LHsTWcRBRbDABywY0EIxvZGYuqF4RXqe9e1LoSDP7k9l2+2iWiBTH1T2fqDqv5ozbc zZND6814iDDvNs45AwFXXdgRMEnYN1MomqNEK72RqRLsxQwgaU7xO76ANZ2WvqMaxlwQ X/1w==
In-reply-to: <87k2yccc96.fsf@lant.ki.iif.hu>
References: <CAA1SNA35_XD61coDn73c+qqSk7=LrpfZs7HqT0oxDG3s3b8TZw@mail.gmail.com> <20150319211315.2165743c@pink.avci.de> <CAA1SNA0KAdgDQHP7myB6bW4awa1OAM3z1u2DcVrZEw62GT3BFA@mail.gmail.com> <20150319204234.GI3930@dan.olp.net> <CAA1SNA1tKprXQ4gKO08_kpBrOGV1h0iiQ3hqaqKhiTVaUTimnA@mail.gmail.com> <20150319211654.GJ3930@dan.olp.net> <CAA1SNA14q2qyqQvqTt8JCOmMK6BGhH3UQy0zpvMood7ZW9+V5g@mail.gmail.com> <1426810025.2281.10.camel@desktop.bpk2.com> <CAA1SNA3wLMu9aU9PYmskGKGmuFF1jZFz0Mr8OvZZfHzmCWPrDQ@mail.gmail.com> <CAA1SNA2ny2hxkBJcbMmpBMxf+xV2xaWEE68TdtAPS0ACUYacCA@mail.gmail.com> <87k2yccc96.fsf@lant.ki.iif.hu>

Hello Ferenc,

Thank you for the answer. This is even more confusing.
I am going to slightly rephrase what you were suggesting, only to
confirm that I understood you. I am not at all sure I did

I have an OpenLDAP server with multiple databases: a config database -
{0)config,cn=config plus several for DITs {1}hdb,cn=config and also
{2}hdb,cn=config ... {n}hdb,cn=config

Are you saying that I could pick an administrator associated with
database X [last say 2] for some domain dc=example,dc=com and give
this user identified by DN: cn=admin,dc=example,com rights to manage
records in all DITs?
Basically, something like "$ldapdelete -x -D
cn=admin,dc=example,dc=com -W cn=john,dc=directory,dc=com" would
successfully delete an entry from a DIT with index Y [say 1].

I apologize for asking these questions, but I have been given a lot of
advice some of which was aimed to solve other problems. Apparently, my
ability to clearly explain what I need is not much better than the
ability to comprehend OpenLDAP docs.

Sincerely,

Igor Shmukler

On Fri, Mar 20, 2015 at 10:19 AM, Ferenc Wagner <wferi@niif.hu> wrote:
> Igor Shmukler <igor.shmukler@gmail.com> writes:
>
>> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
>>  s auth by dn="cn=admin,dc=ldap,dc=com" write by dn="cn=config" wri
>>  te by * none
>> olcAccess: {1}to dn.base="" by * read
>> olcAccess: {2}to * by self write by dn="cn=admin,dc=ldap,dc=com" wr
>>  ite by * read
>
> OK, I think I understand your problem now.  As Brendan mentioned,
> cn=config is not a user object, you can't set a userPassword on it.
> It's still possible to bind to it, because it's your RootDN, and RootPW
> is set.  But this will give it access to its own database only, and skip
> ACL processing anyway.  So the idea I gave you is good, but you have to
> use a normal user object with userPassword instead of cn=config.  You
> can't create such an object in the config database, but anything else
> goes; let's say its cn=root,dc=example,dc=com.  Use this in your ACLs
> for each database (cn=config included, if you want):
>
> olcAccess: {0}to * by dn.base=cn=root,dc=example,dc=com manage
> [...]
>
> and you should be set.  So to correct my answer to your original
> question: what you want (use cn=config with simple bind to manage all
> your databases) is not possible.  Using any normal user object instead
> of cn=config should work, though.  At least according to my limited
> understanding.  Sorry for mistaking this earlier.
> --
> Regards,
> Feri.

References:
- OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Ferenc Wagner <wferi@niif.hu>

Prev by Date: Re: OpenLDAP permissions question
Next by Date: Re: LMDB and HP-UX Itanium
Index(es):
- Chronological
- Thread