[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP permissions question

Howard Chu <hyc@symas.com> writes:

> Ferenc Wagner wrote:
>> Igor Shmukler <igor.shmukler@gmail.com> writes:
>>> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
>>>   s auth by dn="cn=admin,dc=ldap,dc=com" write by dn="cn=config" wri
>>>   te by * none
>>> olcAccess: {1}to dn.base="" by * read
>>> olcAccess: {2}to * by self write by dn="cn=admin,dc=ldap,dc=com" wr
>>>   ite by * read
>> OK, I think I understand your problem now.  As Brendan mentioned,
>> cn=config is not a user object, you can't set a userPassword on it.
>> It's still possible to bind to it, because it's your RootDN, and RootPW
>> is set.  But this will give it access to its own database only, and skip
>> ACL processing anyway.  So the idea I gave you is good, but you have to
>> use a normal user object with userPassword instead of cn=config.  You
>> can't create such an object in the config database, but anything else
>> goes; let's say its cn=root,dc=example,dc=com.  Use this in your ACLs
>> for each database (cn=config included, if you want):
>> olcAccess: {0}to * by dn.base=cn=root,dc=example,dc=com manage
>> [...]
>> and you should be set.  So to correct my answer to your original
>> question: what you want (use cn=config with simple bind to manage all
>> your databases) is not possible.  Using any normal user object instead
>> of cn=config should work, though.  At least according to my limited
>> understanding.  Sorry for mistaking this earlier.
> This is false. You can use cn=config with simple bind just like any
> other RootDN.

Sure, I also wrote above that he can (simple) bind to it, because it's
the RootDN and RootPW is also set.  But will it still participate in ACL
processing for other databases?  I mean, can you use it in ACLs just
like any normal user object with a userPassword?

Also, what happens if several databases have the same RootDN?