[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin roles by group membership per OU

To: Clément OUDOT <clement.oudot@savoirfairelinux.com>
Subject: Re: Admin roles by group membership per OU
From: Ervin Hegedüs <airween@gmail.com>
Date: Thu, 12 Oct 2017 17:02:19 +0200
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=55qykSqU7kevrmN6LB6ShCOiZoMFmQPseFr2UNp0JJk=; b=WY45PYEOwcXgoOVxaUsl69edNhVPxUFA6agbgICy62L0ulQ82MNU9umJxQvWCZpWs5 GqDLxT7gmtad20IQ3xSkhUBM45LbW9qHBNgNn4uM5Q+Lm671VkxeiWClD+dC3fO9cnk3 0wE6/rcoqcIMQ6f2Y3Zw1sRjR5Md7kccIPN7FEKZCnOhsMj/21XXjRwcBY7G0681J89Z 1ldZsY2ThxTHwzd+j0Ml/BmHekIpBDHF87l7MIn432fs1J1Gcd9avlpD8z8Pfo6k0gJ7 Rz+NE20A51QSEnJkjrDqfyvgB+VlCVH6mi7m5ufQ3AbVOlVgTX68z782t8rXc2mrF1En odbg==
In-reply-to: <20171012143945.GA24897@arxnet.hu>
References: <20171011153114.GA6037@arxnet.hu> <5411f0bd-bf3d-1a88-650b-8f8e845815df@savoirfairelinux.com> <20171012143945.GA24897@arxnet.hu>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi,

sorry for the late answer,

On Thu, Oct 12, 2017 at 04:39:45PM +0200, Ervin Hegedüs wrote:
> On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote:
[...]

> > 
> > You can do :
> > 
> > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> > anonymous auth by * none
> > olcAccess: {1}to dn.base="" by * read
> > olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self
> > write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu"
> > write by * none
> > olcAccess: {3}to * by * read
> 
[...]
 
> So, I've modified your idea like this:
> 
> 
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by anonymous auth
> olcAccess: {3}to * by * read
> 
> Whith this rules, I can modify the user attributes, except the
> userPassword.
> 
> But after the modificítion (on master node), de slave can't
> replicates the new entries...

here are the loglines:

Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: result not in cache (userPassword)
Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: auth access to "uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu" "userPassword" requested
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [1] attr userPassword
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu", attr "userPassword" requested
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: to value by "", (=0)
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: anonymous
Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: [2] applying auth(=xd) (stop)
Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: [2] mask: auth(=xd)
Oct 12 16:49:11 open-ldap slapd[31421]: => slap_access_allowed: auth access granted by auth(=xd)
Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: auth access granted by auth(=xd)
Oct 12 16:49:11 open-ldap slapd[31421]: => mdb_entry_get: found entry: "uid=abc_airween,ou=abc customer,dc=mycompany,dc=hu"
Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: search access to "uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu" "objectClass" requested
Oct 12 16:49:11 open-ldap slapd[31421]: => dn: [2]
Oct 12 16:49:11 open-ldap slapd[31421]: => dn: [3] ou=abc customer,dc=mycompany,dc=hu
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [3] matched
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [3] attr objectClass
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu", attr "objectClass" requested
Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: to all values by "uid=repuser,dc=mycompany,dc=hu", (=0)
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_group_pat: cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu
Oct 12 16:49:11 open-ldap slapd[31421]: => mdb_entry_get: found entry: "cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu"
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: anonymous
Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: no more <who> clauses, returning =0 (stop)
Oct 12 16:49:11 open-ldap slapd[31421]: => slap_access_allowed: search access denied by =0
Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: no more rules

where:
* uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu is the admin
  user, who wants to execute the request; it's member of
  cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu
* uid=abc_airween,ou=abc customer,dc=mycompany,dc=hu is the OU
  user, they data could be modified
* uid=repuser,dc=mycompany,dc=hu is the replicator user





Thanks,

a.

References:
- Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>

Prev by Date: Re: Admin roles by group membership per OU
Next by Date: Re: Admin roles by group membership per OU
Index(es):
- Chronological
- Thread