2

I've been configurating a LDAP server on a linux instance using AWS EC2. Up to now, I successfully set up LDAP and phpLDAPadmin to work together.

I've created Users and Groups "Organisation Units". I've added users and groups to those "OU"s. Now I want to grand access to specific parts of my LDAP tree to the "Users" members of a "Group". That's what I wasn't able to configure up to now...

My LDAP tree looks like this:

+--> dc=www,dc=website,dc=com (3)
  ---> cn=admin
  +--> ou=groups (4)
  | ---> cn=admin_users
  | ---> cn=app1_users
  | ---> cn=app2_users
  | ---> cn=basic_users
  +--> ou=users (3)
  | ---> cn=user1
  | ---> cn=user2
  | ---> cn=user3

Let's say that I added user1 + user2 to the "memberUid" list of "app1_users" and user2 + user3 to the "memberUid" list of "app2_users".

I want:

  • cn=admin have full rights/access to the tree
  • app1_users can connect (to phpLDAPadmin) and add new members to the the group itself
  • the same for app2_users' users

A connected user (on phpLDAPadmin) should only see the tree (and child substrees) he's part of.

Here are the ACI I tried (but whose were obsiouvly not working):

access to attrs=shadowLastChange
    by self write
    by dn="cn=admin,dc=www,dc=website,dc=com" write
    by * read

access to attrs=userPassword
    by self write
    by dn="cn=admin,dc=www,dc=website,dc=com" write
    by anonymous auth by * none

access to dn.base=""
    by * read

access to dn.subtree="cn=app1_users,ou=groups,dc=www,dc=website,dc=com"
    by group.base="cn=app1_users,dc=www,dc=website,dc=com" write
    by dn.base="cn=admin,dc=www,dc=website,dc=com" write 
    by * none

access to dn.subtree="cn=app2_users,ou=groups,dc=www,dc=website,dc=com"
    by group.base="cn=app2_users,dc=www,dc=website,dc=com" write
    by dn.base="cn=admin,dc=www,dc=website,dc=com" write 
    by * none

access to *
    by self write
    by dn="cn=admin,dc=www,dc=website,dc=com" write
    by * read

Is there something wrong with my configuration ?

Jsncrdnl
  • 135
  • 3

1 Answers1

0

Let's say that I added user1 + user2 to the "memberUid" list of "app1_users" and user2 + user3 to the "memberUid" list of "app2_users".

This does not work with posixGroup entries with memberUid as member attribute. memberUid only contains a short username and not a DN.

As slapd.access(5) clearly states group ACLs only work with member attributes containing the full distinguished name (DN) of each member entry:

   The statement group=<group> means that access is  granted  to  requests
   whose  DN  is  listed  in the group entry whose DN is given by <group>.
   The  optional  parameters  <objectclass>  and  <attrname>  define   the
   objectClass  and  the  member  attributeType  of  the group entry.  The
   defaults are groupOfNames and member, respectively.

Some notes about your ACLs:

  • Omit the ACL for attribute shadowLastChange because LDAP shadow map is a broken concept. And if you do use shadow maps, your ACL (probably copy&paste from some how-to) would allow the user to circumvent shadow password expiry.
  • Do not grant implicit read privilege to userPassword by using the inclusive write access. Use the write-only privilege =w instead.

See also my answer to this question on serverfault:

Set ACL in OpenLDAP so that user can find its own entry from filtered subtree

And before going down that route yourself I'd recommend to consider using one of the systems I mentioned in other answers:

Centralised NSS backend for Linux

How to only allow users and/or groups access certain client machines that are connected to an openldap server?

Michael Ströder
  • 205
  • 1
  • 6