[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question

To: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>
Subject: Re: OpenLDAP permissions question
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Fri, 20 Mar 2015 12:59:22 +0200
Cc: openldap-technical openldap org <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0N+orKJPHF1uBX1NIKYHWvdAKk4ODvxHL4mHvrYNpcU=; b=T0Z0SMbfiAbNp0o5KaKnIFIRNsefzGn1DgaJYDdgzbu1nZppZFvPgrY/5hiUnErjB/ Y9Vw86XSG6642iMxPZoabCPHmlexZJLRWLt3U5F662QBKke/b09ntgxPh9483k8L0TA3 GNOVUsm3UQc6xCAUriLMLSAB6t2IbW9jjY5qnQx4ZUCQOogIIDFTibgSUmx+jeKArNXG apwzl98sngtl6gRLT09IJLpomKYvl5sbI1XslyghZyQ+U0Mps0Zlu+LeJ681R6f6gGOt oRB3veATAuGXBFjvzluplvV1URVT01S81/toN8lSWb/+UcbnNm7iLBh+dtYEQBmxfaaQ f0zA==
In-reply-to: <550BFB64.4030806@ofd-z.niedersachsen.de>
References: <CAA1SNA35_XD61coDn73c+qqSk7=LrpfZs7HqT0oxDG3s3b8TZw@mail.gmail.com> <20150319211315.2165743c@pink.avci.de> <CAA1SNA0KAdgDQHP7myB6bW4awa1OAM3z1u2DcVrZEw62GT3BFA@mail.gmail.com> <20150319204234.GI3930@dan.olp.net> <CAA1SNA1tKprXQ4gKO08_kpBrOGV1h0iiQ3hqaqKhiTVaUTimnA@mail.gmail.com> <20150319211654.GJ3930@dan.olp.net> <CAA1SNA14q2qyqQvqTt8JCOmMK6BGhH3UQy0zpvMood7ZW9+V5g@mail.gmail.com> <1426810025.2281.10.camel@desktop.bpk2.com> <CAA1SNA3wLMu9aU9PYmskGKGmuFF1jZFz0Mr8OvZZfHzmCWPrDQ@mail.gmail.com> <CAA1SNA2ny2hxkBJcbMmpBMxf+xV2xaWEE68TdtAPS0ACUYacCA@mail.gmail.com> <550BEE39.3090308@ofd-z.niedersachsen.de> <CAA1SNA2x3WYDhYTAjxyO5mVsxk9nfh-+Hr6=HOrLVicm9qrz8Q@mail.gmail.com> <550BFB64.4030806@ofd-z.niedersachsen.de>

Marc,

> - Configure a rootdn with rootpw for each database. Use this to
>   authenticate to slapd und modify things.
>   This works? Fine, go on.

Been working for a while

> - Create a user entry inside your DIT.
>   Use this entry as rootdn.
>   This works? Fine, go on.
> - Map this user entry from your local unix user with olcAuthzRegexp
>   to use with ldapi and EXTERNAL.
>   This works? Fine, go on.

I am with you.

> - or make your first steps with ACLs and another user entry.

What do I do here?

> Do you need multiple mappings?

I understand that config database would allow me to have unto fifty
mapping. I just don't understand those could work for my need.

> As you are one user on your system, this maps to one user in ldap with
> olcAuthzRegexp.
> As Micheal already posted:
>
> authz-regexp
>   "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
>     "cn=root,dc=example,dc=com"
>
> uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com.

I don't understand how this COULD work. Please explain why admin in
DIT 1 would have manage right to DIT 2.

Sincerely,

Igor Shmukler

Follow-Ups:
- Re: OpenLDAP permissions question
  - From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>

References:
- OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Igor Shmukler <igor.shmukler@gmail.com>
- Re: OpenLDAP permissions question
  - From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>
- Re: OpenLDAP permissions question
  - From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>

Prev by Date: Re: OpenLDAP permissions question
Next by Date: Re: OpenLDAP permissions question
Index(es):
- Chronological
- Thread