I am trying to create a simple administrator group on my OpenLdap server that is running slapd. There is currently no slapd file, and I have been working with the cn=config format.
- OS: CentOS Linux release 7.6.1810 (Core)
- OpenLDAP: $OpenLDAP: slapd 2.4.44
My goal is to be able to put users into this admin group "cn=admins-group,ou=groups,dc=example,dc=com" so that they can log into the Phpldapadmin web interface and be able to create users in "ou=People,dc=example,dc=com".
This is the ldif for the admin group: (admin-group.ldif)
dn: cn=admin-group,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: admin-group
gidNumber: 12345
memberUid: admin1
I realize that one of the steps I need to take to accomplish my goal is to create an ACL rule that allows users from the admin group to access the resources they need.
This is the ldif that I wrote to modify the already existing rule in olcDatabase={1}monitor: (accesschange.ldif)
dn: olcDatabase={1}monitor,cn=config
changetype: modify
add: olcAccess
olcAccess: to *
by self write
by group/posixGroup/uniqueMember=cn=admins- group,ou=groups,dc=example,dc=com write
I ran this file using this command:
ldapmodify -x -W -D "cn=ldapadm,dc=example,dc=com" -f monitor.ldif
This ran without a problem. However, I still get the following error on phpldapadmin when trying to add a user under the People OU
Could not add the object to the LDAP server.
LDAP said: Insufficient access
Error number: 0x32 (LDAP_INSUFFICIENT_ACCESS)
Description: You do not have sufficient permissions to perform that operation.
I have been researching this issue for 2 weeks with no success. Can anyone assist?
EDIT: I am looking at the olcDatabase:{1}monitor file under /etc/openldap/slapd.d/cn\=config/ and I am not seeing the new rule that I added. Maybe this is an issue with how I am using ldapmodify?
EDIT # 2: Fixed the writing issue by using ldapmodify with EXTERNAL as follows:
ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
I put the new ACL rule in monitor.ldif and ran it this way. Monitor.ldif looked as follows.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=fsr,dc=local" read by * none
olcAccess: to *
by self write
by group/groupOfNames/member.exact="cn=admins,ou=groups,dc=fsr,dc=local" write
I am still unable to create a user using one admin1 however. I'm not sure what I'm missing. I can see the rule that I created in the olcDatabase:{1}monitor file, but I still can't create a user.
Best Answer
The group schema used in the who clause is wrong. You have to use a group schema with full DNs as member attribute.
memberUidwill not work.Better use:
The group entry should look like this: