[KLUG Members] OpenLDAP + TLS
Matty
members@kalamazoolinux.org
Thu, 26 Dec 2002 14:26:56 -0500
Adam Tauno Williams wrote:
>>I am also having one other small issue. If I add
>>a cn, and want to allow that cn to only write to one branch of the
>>tree, I would think the following access controls would work:
>>access to dn="ou=contacts,dc=dom,dc=com"
>> by dn="cn=email,dc=dom,dc=com" write
>>access to *
>> by dn="cn=Manager,dc=dom,dc=com" write
>
>
> If I understand correctly what you are trying to do, I think you want -
>
> access to dn="ou=People,o=Morrison Industries,c=US"
> attrs=children,entry
> by dn="cn=Manager,dc=com,dc=com" write
> access to dn=".*,ou=People,o=Morrison Industries,c=US"
> by dn="cn=Manager,dc=com,dc=com" write
>
> Ability create/delete objects is seperate from the ability to create/delete
> attributes in an object (more or less).
>
> To be perfect I'd add an attrs clause to the second rule to only allow the
> attributes that belong to the objectclass you expect the manager to be creating
> there. That way they can't create potentially bad objects (service entries,
> etc..) there and muck things up.
>
>
>>I am consistently getting permission denied when I bind as the
>>user email :( According to the openldap site and Adam's awesome
>>LDAPv3 presentation, I thought this would work. So far no go :(
>
>
> You get an error binding or attmepting to modify? What is your default access?
> The DSA will need to give auth access to objects you expect to use in
> authentication if your defaultaccess is set to none as that applies to the DSA
> itself as well.
I am looking to add all of my contacts to "ou=contacts,dc=dom,dc=com." I
would like the common name "email" to bind to the directory and update
anything under "ou=contacts,dc=dom,dc=com." I do not want email want
email to be able to touch any other branches of the directory. What I
see when I bind as email is:
[matty@winnie:/export/home/matty 1017] $ ldapsearch \
> -D 'cn=email,dc=dom,dc=com' -b 'ou=contacts,dc=dom,dc=com' \
> '(objectclass=*)'
Bind Password:
ldap_simple_bind_s: Insufficient access
The entry for email is:
cn=email,dc=dom,dc=com
objectClass=top
objectClass=organizationalRole
objectClass=simpleSecurityObject
cn=email
description=User allowed to update the contacts tree
userPassword= {MD5}2d7416a31d35e5de911a18c74a4efa44
The documentation on openldap.org is somewhat lacking (IMHO) in their
explanation of Access Control. I need to reread your ldapv3 guide, and
see what Access Control coverage you have.
Thanks for your help,
Ryan