How to self change attrs in openldap

access-control-listopenldap

I am running openldap is 2.4.40 and have applied following ACL:

olcAccess: {0}to *      
          by self write       
          by dn="cn=Manager,dc=sample,dc=com" write       
          by * read
olcAccess: {1}to dn.children="ou=sysUsers,dc=sample,dc=com" 
           attrs=userPassword,shadowLastChange,description,sshPublicKey       
          by self write
          by dn="cn=Manager,dc=sample,dc=com" write             
          by anonymous auth
          by * none

I want to change the userPassword, shadowLastChange, description, sshPublicKey by user(sysUsers). But its giving me permission error, Doesn't write permission.

# slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com'
 authcDN: ""
 entry: read(=rscxd)
 children: read(=rscxd)
 gidNumber=1000: read(=rscxd)
 homeDirectory=/home/user1: read(=rscxd)
　　：
 cn=user1: read(=rscxd)
 sshPublicKey=ssh-rsa AAAAB3Nza…cGWliPbw== root@sample.com: read(=rscxd)
 userPassword=****: read(=rscxd)
 description=test user1: read(=rscxd)
　　：
 modifyTimestamp=20161025074434Z: read(=rscxd)

LDAP reponse:   Insufficient access
error number:   0x32 (LDAP_INSUFFICIENT_ACCESS)
description:    You do not have sufficient permissions to perform that operation.

I tried modifying description by user uid=user1,ou=sysUsers,dc=sample,dc=com, but failed.

uid=Manager,ou=sysUsers,dc=sample,dc=com is able to modify though.

what am I doing wrong? I suspect ACL problem?

Best Answer

olcAccess: {0}to *      
          by self write       
          by dn="cn=Manager,dc=sample,dc=com" write       
          by * read
olcAccess: {1}to dn.children="ou=sysUsers,dc=sample,dc=com" 
           attrs=userPassword,shadowLastChange,description,sshPublicKey       
          by self write
          by dn="cn=Manager,dc=sample,dc=com" write             
          by anonymous auth
          by * none

First of all the ACL sequence you have given is not correct, In this case everything will be matched to first directive as it has "*" in , Which matches everything, and it will never go to the second rule of ACL.

Second, The command you have used to check the ACL permissions is incorrect, You have used:

slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com'

Which is incorrect -D is the DN whose permissions are to be checked and -b is baseDN to which permissions is to be checked.

So correct command should be check self permissions:

slapacl -D 'uid=user1,ou=sysUsers,dc=sample,dc=com' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com'

EDIT AFTER YOUR FINDINGS: The ACL you had applied was for dn:olcDatabase={0}config,cn=config whereas it should be applied for Database DN dn:olcDatabase={2}bdb,cn=config

What I am pretty sure you are trying to do is change the description of DN:"uid=Manager,ou=sysUsers,dc=sample,dc=com" which ofcourse according to ACL any other won't be able to do except DN:"uid=Manager,ou=sysUsers,dc=sample,dc=com" itself or DN:"cn=Manager,dc=sample,dc=com".

Hope this helps! Please support the answer by marking it as helped or answered if it did.

Related Solutions

Linux – OpenLDAP ACL to allow users to change their password

Try something along the lines of:

access to attrs=userPassword
        by self write
        by anonymous auth
        by users none

access to * by * read

(Note that for security reasons you DON'T want everyone able to read the UserPassword attribute -- that would allow people to skim your shadow/encrypted passwords & run a crack program against them easily.)

Edit to add requested explanation of the access to attrs=userPassword ACL above

by self write
The logged in user can write (change) their own userPassword attribute -- this is what lets you change your password.

by anonymous auth
Anonymous users (ones who bound to the directory anonymously - that is, without specifying a DN & password) may access userPassword for the sole purpose of authentication (they don't have access to it for any other purposes, like searching or browsing).

by users none
This denies logged in users access to anyone else's userPassword attribute. Theoretically this could be auth as well, but normally (At least in my environment) a logged-in user shouldn't need to authenticate/bind as another user.

Centos – How to add ACIs to OpenLDAP properly

Figured out that it's probably better to just do it the bdb.ldif way. What I did was like the above, but I made a few changes.

olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell by dn="cn=manager,dc=bromosapien,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=manager,dc=bromosapien,dc=net" write by group.exact="cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net" write by * read

What I did instead was, I labeled each line with braces and a number. I also added the ability for a user to change their login shell (because I allow Bash, ksh, and zsh, we default to bash). I then created a groupOfNames container inside of the Group OU. Like this.

dn: cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net
objectClass: groupOfNames
objectClass: top
cn: LDAPADMIN
member: uid=zera,ou=People,dc=angelsofclockwork,dc=net
member: uid=sithlord,ou=People,dc=angelsofclockwork,dc=net

Of course, this requires the memberOf overlay.

The memberOf overlay I used is below:

% vi modules.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof

% vi memberof.ldif

dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Best Answer

Related Solutions

Linux – OpenLDAP ACL to allow users to change their password

Centos – How to add ACIs to OpenLDAP properly

Related Topic