OpenLDAP ACL Help

Discussion in 'Server Operation' started by flubdgub, Jun 24, 2011.

  1. flubdgub

    flubdgub New Member

    I have OpenLDAP openldap-2.3.43 running on CentOS5.6, configured with TLS.

    Everything is working fine, server is running, clients authenticate -- UNIX accounts via ou=People, Web accounts via ou=WebPeople.

    I can add and manage users using the 'rootdn' account...

    BUT I'd like to have some "Managers" for subgroups, and I can't figure out how to make ACL's to do this.

    All Apache 'web accounts' are made in this ou:
    ou=WebPeople,dc=example,dc=com

    All Apache 'web master' accounts are made in this ou:
    ou=WebManagers,dc=example,dc=com


    WHat I did:

    -- Made a WebManagers ou, and added webmaster user to it:

    dn: uid=webmaster,ou=WebManagers,dc=example,dc=com
    objectClass: inetOrgPerson
    cn: Web Master
    sn: WebMaster
    uid: webmaster
    userPassword: <SNIP>
    ou: WebManager

    -- Added this ACL to /etc/openldap/slapd.conf:

    ##
    ## ACL1
    ##

    access to dn.one="ou=WebPeople,dc=example,dc=com"
    attrs=children
    by group.exact="ou=WebManagers,dc=example,dc=com" write
    by users read


    -----

    When I do this, UNIX authentication (ou=People) no longer works. I have to disable the ACL's to get it back.

    Basically I need help writing the ACL's properly... Here's my slapd.conf

    #
    # See slapd.conf(5) for details on configuration options.
    # This file should NOT be world readable.
    #
    include /etc/openldap/schema/core.schema
    include /etc/openldap/schema/cosine.schema
    include /etc/openldap/schema/inetorgperson.schema
    include /etc/openldap/schema/nis.schema

    # Allow LDAPv2 client connections. This is NOT the default.
    allow bind_v2

    # Do not enable referrals until AFTER you have a working directory
    # service AND an understanding of referrals.
    #referral ldap://root.openldap.org

    pidfile /var/run/openldap/slapd.pid
    argsfile /var/run/openldap/slapd.args

    # Load dynamic backend modules:
    # modulepath /usr/lib64/openldap

    # Modules available in openldap-servers-overlays RPM package
    # Module syncprov.la is now statically linked with slapd and there
    # is no need to load it here
    # moduleload accesslog.la
    # moduleload auditlog.la
    # moduleload denyop.la
    # moduleload dyngroup.la
    # moduleload dynlist.la
    # moduleload lastmod.la
    # moduleload pcache.la
    # moduleload ppolicy.la
    # moduleload refint.la
    # moduleload retcode.la
    # moduleload rwm.la
    # moduleload smbk5pwd.la
    # moduleload translucent.la
    # moduleload unique.la
    # moduleload valsort.la

    # modules available in openldap-servers-sql RPM package:
    # moduleload back_sql.la

    # The next three lines allow use of TLS for encrypting connections using a
    # dummy test certificate which you can generate by changing to
    # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
    # slapd.pem so that the ldap user or group can read it. Your client software
    # may balk at self-signed certificates, however.

    TLSCertificateFile /certs/ldapscert.pem
    TLSCertificateKeyFile /certs/keys/ldapskey.pem
    TLSCipherSuite TLSv1+RSA:!NULL
    TLSVerifyClient never

    #disallow bind_anon
    #require bind
    #security simple_bind=128


    #######################################################################
    # ACL's
    #######################################################################
    # Sample security restrictions
    # Require integrity protection (prevent hijacking)
    # Require 112-bit (3DES or better) encryption for updates
    # Require 63-bit encryption for simple bind
    # security ssf=1 update_ssf=112 simple_bind=64

    # Sample access control policy:
    # Root DSE: allow anyone to read it
    # Subschema (sub)entry DSE: allow anyone to read it
    # Other DSEs:
    # Allow self write access
    # Allow authenticated users read access
    # Allow anonymous users to authenticate
    # Directives needed to implement policy:
    ## access to dn.base="" by * read
    ## access to dn.base="cn=Subschema" by * read


    ##
    ## ACL1
    ##

    ##If I uncomment this, UNIX authentication to ou=People breaks

    #access to dn.one="ou=WebPeople,dc=surfads,dc=com"
    # attrs=children
    # by group.exact="ou=WebManagers,dc=surfads,dc=com" write
    # by users read


    # if no access controls are present, the default policy
    # allows anyone and everyone to read anything but restricts
    # updates to rootdn. (e.g., "access to * by * read")
    #
    # rootdn can always read and write EVERYTHING!

    #######################################################################
    # ldbm and/or bdb database definitions
    #######################################################################

    database bdb
    suffix "dc=example,dc=com"
    rootdn "cn=ldapadmin,dc=example,dc=com"
    rootpw {SSHA}<SNIP>

    # The database directory MUST exist prior to running slapd AND
    # should only be accessible by the slapd and slap tools.
    # Mode 700 recommended.
    directory /var/lib/ldap

    # Indices to maintain for this database
    index objectClass eq,pres
    index ou,cn,mail,surname,givenname eq,pres,sub
    index uidNumber,gidNumber,loginShell eq,pres
    index uid,memberUid eq,pres,sub
    index nisMapName,nisMapEntry eq,pres,sub

    # Replicas of this database
    #replogfile /var/lib/ldap/openldap-master-replog
    #replica host=ldap-1.example.com:389 starttls=critical
    # bindmethod=sasl saslmech=GSSAPI
    # authcId=host/ldap-master.example.com@EXAMPLE.COM


    ----------------------

    Thank-you!
     
    flubdgub, Jun 24, 2011
    #1

Share This Page