Help with olcAccess in openldap
1,191 views
Skip to first unread message
Jeff Viola
Aug 6, 2014, 1:40:06 PM8/6/14
to pwm-g...@googlegroups.com
I'm using the following search filter in pwm for Administrator permisisons and it works fine for finding my pwm admins. How do I enter this in the openldap file olcDatabase={2}bdb.ldif for olcAccess? I've tried a couple variations, but I couldn't get it in the right form.
Silvio Arcangeli
Aug 18, 2014, 5:40:43 AM8/18/14
to pwm-g...@googlegroups.com
Hi Jeff,
what do you mean by entering that filter on the OpenLDAP database for olcAccess?
are you trying to setup access control rules in OpenLDAP to restrict access to your administrators only?
what kind of restrictions do you want apply? (e.g. prevent any non-admin user from accessing any record but their own etc.)
in general, you modify the access control rules to your OpenLDAP by modifying the olcAccess attribute of your database, via an ldif file loaded on the fly (without having to stop and restart) through the ldapadd command.
In the admin guide there is a sample schema file, for more recent versions of OpenLDAP you'll have to convert it to an LDIF.
Here's a sample basic ldif to give you an idea.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange
by group.exact="cn=Admins,ou=Groups,dc=yourdomain,dc=org" write
by self write
by anonymous auth
by * none
olcAccess: to dn.subtree="ou=People,dc=yourdomain,dc=org"
by self write
by users read
by anonymous auth
olcAccess: to dn.subtree="dc=yourdomain,dc=org"
by group.exact="cn=Admins,ou=Groups,dc=yourdomain,dc=org" write
olcAccess: to dn.base=""
by * read
olcAccess: to *
by * none
what do you mean by entering that filter on the OpenLDAP database for olcAccess?
are you trying to setup access control rules in OpenLDAP to restrict access to your administrators only?
what kind of restrictions do you want apply? (e.g. prevent any non-admin user from accessing any record but their own etc.)
in general, you modify the access control rules to your OpenLDAP by modifying the olcAccess attribute of your database, via an ldif file loaded on the fly (without having to stop and restart) through the ldapadd command.
In the admin guide there is a sample schema file, for more recent versions of OpenLDAP you'll have to convert it to an LDIF.
Here's a sample basic ldif to give you an idea.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange
by group.exact="cn=Admins,ou=Groups,dc=yourdomain,dc=org" write
by self write
by anonymous auth
by * none
olcAccess: to dn.subtree="ou=People,dc=yourdomain,dc=org"
by self write
by users read
by anonymous auth
olcAccess: to dn.subtree="dc=yourdomain,dc=org"
by group.exact="cn=Admins,ou=Groups,dc=yourdomain,dc=org" write
olcAccess: to dn.base=""
by * read
olcAccess: to *
by * none
Jeff Viola
Aug 18, 2014, 1:47:39 PM8/18/14
to pwm-g...@googlegroups.com
Since I wasn't able to get the (&(objectClass=pwmUser)(memberOf=cn=sysadmins,ou=Admins,dc=domainname,dc=local)) to work in /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif I just added each user in the sysadmins group to the olcAccess lines as seen below. I'd like to be able to add group.exact or something that can extract the users from cn=sysadmins,ou=Admins,dc=domainnamd,dc=local because the number of sysadmin will continue to grow over time. With the entries below things are seem to be working fine.
olcAccess: {0}to attrs=userPassword,shadowLastChange,pwmResponseSet,pwmLastPwdUpdate,pwmGUID,pwmUser,pwmEventLog by dn="cn=Manager,dc=domainname,dc=local" write by dn="uid=john...@somedomain.com,ou=Users,dc=domainname,dc=local" write by dn="uid=pwma...@somedomain.com,ou=Users,dc=domainname,dc=local" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="ou=Users,dc=domainname,dc=local" by dn="cn=Manager,dc=domainname,dc=local" write by dn="uid=john...@somedomain.com,ou=Users,dc=domainname,dc=local" write by dn="uid=pwma...@somedomain.com,ou=Users,dc=domainname,dc=local" write by anonymous auth by self write by * none
olcAccess: {2}to dn.base="" by Users read by * none
olcAccess: {3}to * by dn="cn=Manager,dc=domainname,dc=local" write by dn="uid=john...@somedomain.com,ou=Users,dc=domainname,dc=local" read by dn="uid=pwma...@somedomain.com,ou=Users,dc=domainname,dc=local" read by * none
Reply all
Reply to author
Forward
0 new messages