[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Removing olcAccess entry

To: Katherine Faella <kmf@uri.edu>
Subject: Re: Removing olcAccess entry
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Tue, 12 Jan 2016 12:07:28 -0800
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-filter: OpenDKIM Filter v2.10.3 edge01.zimbra.com 8D40444220
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zimbra.com; s=C2AA288C-EE47-11E2-9BB0-E820BDD9BDBF; t=1452629250; bh=yHFRe0rTPwc4pXA0qTF3Wdl8F5Sd9THX2nZnShdMzY8=; h=Date:From:To:Message-ID:MIME-Version; b=acLaQN64Ore/5zTqdeRSfz2t6mGW/eNCtgNyEVAwF2N4Cuiw7i4CyYDtUEr3bumas y/zIk4f6uF7clzfoSMuZKVMoTtgZOz9gzn5lpT2CvlfRfIt6sOmCc1tKxcO9kIlW1v AX2+wy7EB/OD2PRmkFrffFny9ybY2UxKexqtCAvs=
In-reply-to: <CAOWsejKwPPY+U7qxJYP_E3WiPWU=Q4LJaP-SCfp4LbdxTpcrKA@mail.gmail.com>
References: <CAOWsejKaHsybZrmQrYhtpyUxBA8e60BoUkMobWcvc60HU+TQqw@mail.gmail.com> <E7D2D958-B1C0-4591-93AD-54885D33B9CD@bitrate.net> <56955031.1050204@symas.com> <CAOWsej+T1rELeSDQbDRe4Kz-s3j9CCC5QB8EKJCgwRPsGcJUEA@mail.gmail.com> <FB684FF8BB30B1A42093982B@192.168.1.9> <CAOWsejKwPPY+U7qxJYP_E3WiPWU=Q4LJaP-SCfp4LbdxTpcrKA@mail.gmail.com>

--On Tuesday, January 12, 2016 2:55 PM -0500 Katherine Faella <kmf@uri.edu>wrote:


Hi Kathy,

I was afraid you were going to ask that.  We are running the Redhat 6
supported  2.4.40-7.el6_7.  We have a policy here of sticking with the
redhat supported releases of packages since our staff is so small.

Extremely ill advised for a number of reasons. I'd suggest using the LTBproject software instead, since it actually links to secure TLS software.2.4.40 had some serious bugs as well. You can set up the LTB software viatheir YUM repository.


<http://ltb-project.org/wiki/download#openldap>
<http://ltb-project.org/wiki/documentation/openldap-rpm#yum_repository>

I really need to resolve this for an important project here. Of course
the project is behind schedule and I am left with little time to get my
stuff working.  I was hoping my syntax was just incorrect.  The only
other way I can image fixing this is to revert to slapd.conf ....  

I guess the good news is that my steps and syntax look okay to you.  If
you have any other thoughts I would happily accept them.


Just tested, and can confirm it works correctly for me:

[zimbra@zre-ldap003 ~]$ ldapsearch -x -LLL -H ldapi:/// -D cn=config -w8utM5cM7v0 -b "olcDatabase={2}mdb,cn=config" -s base olcAccess

dn: olcDatabase={2}mdb,cn=config

olcAccess: {0}to attrs=userPassword by anonymous auth bydn.children="cn=adm

ins,cn=zimbra" write

olcAccess: {1}to dn.subtree="cn=zimbra" bydn.children="cn=admins,cn=zimbra"

write

olcAccess: {2}toattrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zi

mbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,z

imbraIsAdminAccount,zimbraAuthLdapSearchBindPassword bydn.children="cn=admi

ns,cn=zimbra" write  by * none

olcAccess: {3}to attrs=objectclass by dn.children="cn=admins,cn=zimbra"writeby dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read bydn.base="uid=zmam

avis,cn=appaccts,cn=zimbra" read  by users read  by * none

olcAccess: {4}to attrs=@amavisAccount by dn.children="cn=admins,cn=zimbra"wr

ite  by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * +0 break

olcAccess: {5}to attrs=mail by dn.children="cn=admins,cn=zimbra" write bydn

.base="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * +0 break

olcAccess: {6}toattrs=zimbraAllowFromAddress,DKIMIdentity,DKIMSelector,DKIMDomain,DKIMKey by dn.children="cn=admins,cn=zimbra" write bydn.base="uid=zmp

ostfix,cn=appaccts,cn=zimbra" read  by * none

olcAccess: {7}to filter="(!(zimbraHideInGal=TRUE))"attrs=cn,co,company,dc,di

splayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postal
Code,sn,st,street,streetAddress,telephoneNumber,title,uid,homePhone,pager,mob

ile,userCertificate by dn.children="cn=admins,cn=zimbra" write bydn.base="

uid=zmpostfix,cn=appaccts,cn=zimbra" read  by users read  by * none

olcAccess: {8}toattrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCa

nonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,z
imbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwar
dingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,z
imbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliv

eryDisabled,member,memberURL,zimbraMemberOf bydn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read bydn.base

="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * none

olcAccess: {9}to dn.subtree="cn=groups,cn=zimbra"attrs=zimbraMailAlias,member,zimbraMailStatus,entry by dn.children="cn=admins,cn=zimbra" write bydn.ba

se="uid=zmpostfix,cn=appaccts,cn=zimbra" read

olcAccess: {10}to attrs=entry by dn.children="cn=admins,cn=zimbra" writeby

* read


[zimbra@zre-ldap003 ~]$ cat /tmp/access-del.ldif
dn: olcDatabase={2}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}

[zimbra@zre-ldap003 ~]$ ldapmodify -x -H ldapi:/// -D cn=config -w8utM5cM7v0 -f /tmp/access-del.ldif

modifying entry "olcDatabase={2}mdb,cn=config"

[zimbra@zre-ldap003 ~]$

[zimbra@zre-ldap003 ~]$ ldapsearch -x -LLL -H ldapi:/// -D cn=config -w8utM5cM7v0 -b "olcDatabase={2}mdb,cn=config" -s base olcAccess

dn: olcDatabase={2}mdb,cn=config

olcAccess: {0}to dn.subtree="cn=zimbra" bydn.children="cn=admins,cn=zimbra"

write

olcAccess: {1}toattrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zi

mbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,z

imbraIsAdminAccount,zimbraAuthLdapSearchBindPassword bydn.children="cn=admi

ns,cn=zimbra" write  by * none

olcAccess: {2}to attrs=objectclass by dn.children="cn=admins,cn=zimbra"writeby dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read bydn.base="uid=zmam

avis,cn=appaccts,cn=zimbra" read  by users read  by * none

olcAccess: {3}to attrs=@amavisAccount by dn.children="cn=admins,cn=zimbra"wr

ite  by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * +0 break

olcAccess: {4}to attrs=mail by dn.children="cn=admins,cn=zimbra" write bydn

.base="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * +0 break

olcAccess: {5}toattrs=zimbraAllowFromAddress,DKIMIdentity,DKIMSelector,DKIMDomain,DKIMKey by dn.children="cn=admins,cn=zimbra" write bydn.base="uid=zmp

ostfix,cn=appaccts,cn=zimbra" read  by * none

olcAccess: {6}to filter="(!(zimbraHideInGal=TRUE))"attrs=cn,co,company,dc,di

splayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postal
Code,sn,st,street,streetAddress,telephoneNumber,title,uid,homePhone,pager,mob

ile,userCertificate by dn.children="cn=admins,cn=zimbra" write bydn.base="

uid=zmpostfix,cn=appaccts,cn=zimbra" read  by users read  by * none

olcAccess: {7}toattrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCa

nonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,z
imbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwar
dingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,z
imbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliv

eryDisabled,member,memberURL,zimbraMemberOf bydn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read bydn.base

="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * none

olcAccess: {8}to dn.subtree="cn=groups,cn=zimbra"attrs=zimbraMailAlias,member,zimbraMailStatus,entry by dn.children="cn=admins,cn=zimbra" write bydn.ba

se="uid=zmpostfix,cn=appaccts,cn=zimbra" read

olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" writeby *

 read


--Quanah



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Removing olcAccess entry
  - From: Katherine Faella <kmf@uri.edu>
- Re: Removing olcAccess entry
  - From: btb@bitrate.net
- Re: Removing olcAccess entry
  - From: Howard Chu <hyc@symas.com>
- Re: Removing olcAccess entry
  - From: Katherine Faella <kmf@uri.edu>
- Re: Removing olcAccess entry
  - From: Katherine Faella <kmf@uri.edu>

Prev by Date: Re: Removing olcAccess entry
Next by Date: slapd dies
Index(es):
- Chronological
- Thread