[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin roles by group membership per OU

To: Clément OUDOT <clement.oudot@savoirfairelinux.com>
Subject: Re: Admin roles by group membership per OU
From: Ervin Hegedüs <airween@gmail.com>
Date: Thu, 12 Oct 2017 16:39:45 +0200
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=MU2OA2NRrB7D8KS52eCyhb12bFc+1PDAhb+kBhOhxRQ=; b=abIAtFyHKtqBPx3zFmGLFGjqI7c5rHbHGfdDdxGtS7mDmpby40QjX5tNsofMvj7w6h 0RmRxtWOeK4Jw5/oX+Nm5vC5a3mSFwn/AZ/Z8bMLUUVdSDI/7riFvSBQqpWPWL4+5VkM 5JIuqXld9Q9SGnJh4CYOZZPwyAmEF8TcFvVsZRAuCuY5u0+ZCWrwm+w873XGt/P2VFC5 yIlU3GQay4EZk1gO4eQurKbGBDiw1FKws1OtWNe+Kn7HuSiDVMul+50j44us+wQP5pPc auo38ulNRsRAd4Yn+1xC3yitTRd5CAkFkaQHTOY6+Ha2fAQyusV8N2vdcg4CseeY8kk5 RNJw==
In-reply-to: <5411f0bd-bf3d-1a88-650b-8f8e845815df@savoirfairelinux.com>
References: <20171011153114.GA6037@arxnet.hu> <5411f0bd-bf3d-1a88-650b-8f8e845815df@savoirfairelinux.com>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi Clément,

thanks for your help,

On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote:
> 
> 
> Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit :
> >olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
> >olcAccess: {1}to dn.base="" by * read
> >olcAccess: {2}to * by * read
> >olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth
> 
> The rule {2} catches all requests (to *  by *) so rule {3} is never applied.
> 
> You can do :
> 
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self
> write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu"
> write by * none
> olcAccess: {3}to * by * read

whit these rules, I could't read with anonymous nor authenticated
user from the DB, only the self record.

So, I've modified your idea like this:


olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by anonymous auth
olcAccess: {3}to * by * read

Whith this rules, I can modify the user attributes, except the
userPassword.

But after the modificítion (on master node), de slave can't
replicates the new entries...

Without rule {2}, the slave works as well with repuser dn.

What did I made badly?

Thanks,


a.

Follow-Ups:
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Michael Ströder <michael@stroeder.com>

References:
- Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>

Prev by Date: Re: Question about automounting nfs directories within ldap
Next by Date: Re: Admin roles by group membership per OU
Index(es):
- Chronological
- Thread