[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin roles by group membership per OU

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: Admin roles by group membership per OU
From: Ervin Hegedüs <airween@gmail.com>
Date: Mon, 16 Oct 2017 10:45:24 +0200
Cc: Clément OUDOT <clement.oudot@savoirfairelinux.com>, openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=+QyNy3Q37fweXKnhwi84kCwjF++4KrskVkWbuxCjldQ=; b=hDq1VFpjHAobizcnzBp44qpiLmkWjCNhgN6mU5l41CjgCahFXYb6HED+SXTOMhMFhe AVz6OFegG0xDdrwuvnHkyM8YzYPcdBbm9i3PLoTnc50cjWAtHC+NywBK/sJl691e6qKq /UfuGTPbYSY8l9VrNUrSDvamPtLMTDiKvcxpuoTi7FZDf+Xj4Ceg4ft8yOOAs6Cw+Sbf KnNXuZDnWAH+wMyzju8Tez+EkMp6Sm0Sz5aAlTljNWyVnt1yt1esUS8oAPkhLpq3NLG4 HcR3t9t+hhfXhVY93dcAc4IBR/DHf1iITH7qkpQrA+UIZdrwzfVsFPCOUqqDgTiXDgzX OENg==
In-reply-to: <755C73DF70A5217978F6B6A1@[192.168.1.30]>
References: <20171011153114.GA6037@arxnet.hu> <5411f0bd-bf3d-1a88-650b-8f8e845815df@savoirfairelinux.com> <20171012143945.GA24897@arxnet.hu> <1e3053aa-10c0-2e89-4ecf-78b196480abb@savoirfairelinux.com> <20171012153230.GA26702@arxnet.hu> <WM!3ea8ec7098d14925dc39d957afaad62f207f43d00b4c648f2f5d4f5322d8acfa9261435931a6075dbeba167726dc6c91!@mailstronghold-3.zmailcloud.com> <755C73DF70A5217978F6B6A1@[192.168.1.30]>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi all,

On Thu, Oct 12, 2017 at 11:06:00AM -0700, Quanah Gibson-Mount wrote:
> 
> 
> So for your back-mdb database, what one would expect is more something like:
> 
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
> olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self
> write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu"
> write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
> olcAccess: {2}to * by * read

now the rules are:

dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none
olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
olcAccess: {2}to * by * read


and a member of cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu
can modify any attributes at any users under the ou=ABC Customer,
EXCEPT the userPassword - when I want to modify that, I get
permission error:

ldap_modify: Insufficient access (50)

Oct 16 10:42:05 open-ldap slapd[31421]: => access_allowed: result not in cache (userPassword)
Oct 16 10:42:05 open-ldap slapd[31421]: => access_allowed: delete access to "uid=abc_airween,ou=ABC Customer,dc=core,dc=hdt,dc=hu" "userPassword" requested
Oct 16 10:42:05 open-ldap slapd[31421]: => acl_get: [1] attr userPassword
Oct 16 10:42:05 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_airween,ou=ABC Customer,dc=core,dc=hdt,dc=hu", attr "userPassword" requested
Oct 16 10:42:05 open-ldap slapd[31421]: => acl_mask: to all values by "uid=abc_user1,ou=abc customer,dc=core,dc=hdt,dc=hu", (=0)
Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: anonymous
Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: uid=repuser,dc=core,dc=hdt,dc=hu
Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: *
Oct 16 10:42:05 open-ldap slapd[31421]: <= acl_mask: [4] applying none(=0) (stop)
Oct 16 10:42:05 open-ldap slapd[31421]: <= acl_mask: [4] mask: none(=0)
Oct 16 10:42:05 open-ldap slapd[31421]: => slap_access_allowed: delete access denied by none(=0)
Oct 16 10:42:05 open-ldap slapd[31421]: => access_allowed: no more rules


How can I combine the attrs and group permissions? Should I list
all attributes in rule?


Thanks,

a.

References:
- Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: [ldapmodify] multiple entries of the same attibute
Next by Date: Re: Initialize ldap with mdb
Index(es):
- Chronological
- Thread