[KLUG Members] OpenLDAP + TLS

Matty members@kalamazoolinux.org
Thu, 26 Dec 2002 14:26:56 -0500

Previous message: [KLUG Members] OpenLDAP + TLS
Next message: [KLUG Members] Re: IE Security flaws
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Adam Tauno Williams wrote:
>>I am also having one other small issue. If I add
>>a cn, and want to allow that cn to only write to one branch of the
>>tree, I would think the following access controls would work:
>>access to dn="ou=contacts,dc=dom,dc=com"
>>         by      dn="cn=email,dc=dom,dc=com"           write
>>access to *
>>        by      dn="cn=Manager,dc=dom,dc=com"         write
> 
> 
> If I understand correctly what you are trying to do, I think you want -
> 
> access to dn="ou=People,o=Morrison Industries,c=US"
>   attrs=children,entry
>   by dn="cn=Manager,dc=com,dc=com" write
> access to dn=".*,ou=People,o=Morrison Industries,c=US"
>   by dn="cn=Manager,dc=com,dc=com" write
> 
> Ability create/delete objects is seperate from the ability to create/delete
> attributes in an object (more or less).
> 
> To be perfect I'd add an attrs clause to the second rule to only allow the
> attributes that belong to the objectclass you expect the manager to be creating
> there.  That way they can't create potentially bad objects (service entries,
> etc..) there and muck things up.
> 
> 
>>I am consistently getting permission denied when I bind as the
>>user email :( According to the openldap site and Adam's awesome
>>LDAPv3 presentation, I thought this would work. So far no go :(
> 
> 
> You get an error binding or attmepting to modify?  What is your default access?
>  The DSA will need to give auth access to objects you expect to use in
> authentication if your defaultaccess is set to none as that applies to the DSA
> itself as well.

I am looking to add all of my contacts to "ou=contacts,dc=dom,dc=com." I 
would like the common name "email" to bind to the directory and update 
anything under "ou=contacts,dc=dom,dc=com." I do not want email want 
email to be able to touch any other branches of the directory. What I 
see when I bind as email is:

[matty@winnie:/export/home/matty 1017] $ ldapsearch \
 > -D 'cn=email,dc=dom,dc=com' -b 'ou=contacts,dc=dom,dc=com' \
 > '(objectclass=*)'
Bind Password:
ldap_simple_bind_s: Insufficient access

The entry for email is:

cn=email,dc=dom,dc=com
objectClass=top
objectClass=organizationalRole
objectClass=simpleSecurityObject
cn=email
description=User allowed to update the contacts tree
userPassword= {MD5}2d7416a31d35e5de911a18c74a4efa44

The documentation on openldap.org is somewhat lacking (IMHO) in their
explanation of Access Control. I need to reread your ldapv3 guide, and 
see what Access Control coverage you have.

Thanks for your help,
Ryan

Previous message: [KLUG Members] OpenLDAP + TLS
Next message: [KLUG Members] Re: IE Security flaws
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]