Ldap – How to add admin users in 389 LDAP, fedora directory server

389-dsldapldifopenldap

I want to create couple of Admin users who have access to create/delete users on a particular group/Organization Unit. For example,

User: uid=testadmin, ou=people, dc=my,dc=net

Should have access to create new users/delete users under

ou=People,dc=my,dc=net

I tried with below ACI but did not work

(target = "ldap:///ou=People,dc=my,dc=net")(targetattr = "*") (version 3.0;acl "testadmin Permissions";allow (proxy)(userdn = "ldap:///uid=testadmin,ou=people,dc=my,dc=net");)

I am able to add administrative users from the Directory Server console, but this user data is not stored in ldif files and only stored in binary database at /var/lib/dirsrv/slap-ldap/db/. Only problem is these users have full power and I am not sure how to restrict their access.

Best Answer

Well Answer turn to be very simple and logical. In order to provide an ACI for a specific OU. In this case, the user sm has all rights under the directory ou=Support Group.

 (targetattr = "*") 
(target = "ldap:///ou=Support Group,dc=my,dc=net") 
(version 3.0;
acl "sm aci";
allow (all)
(userdn = "ldap:///uid=sm,ou=Support Group,dc=my,dc=net")
;)

target: specifies where to apply the rule.

targetattr: Could be used to limit the access to various attributes of the entry. Such as you the "sm" user not to have access to change password such thing you could specify here.

allow (): specifies the permission

the last one userdn (Bind Rule): Specifies who has the rights. In this way you can easily give away access to other users to manage their own groups User credentials.

Related Solutions

Ldap – 389 Directory Server Administrative Limit Exceeded error

From what I understood, you are not able to get all entries. Looks like your are hitting admin limit exceeded.

If you want to search from a non-cn=Directory manager user. you need to add some attributes to user like below.

/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: uid=test2,ou=People,dc=example,dc=com
changetype: modify
add: nssizelimit
nssizelimit: -1
-
add: nslookthroughlimit
nslookthroughlimit: -1

Centos – How to add ACIs to OpenLDAP properly

Figured out that it's probably better to just do it the bdb.ldif way. What I did was like the above, but I made a few changes.

olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell by dn="cn=manager,dc=bromosapien,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=manager,dc=bromosapien,dc=net" write by group.exact="cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net" write by * read

What I did instead was, I labeled each line with braces and a number. I also added the ability for a user to change their login shell (because I allow Bash, ksh, and zsh, we default to bash). I then created a groupOfNames container inside of the Group OU. Like this.

dn: cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net
objectClass: groupOfNames
objectClass: top
cn: LDAPADMIN
member: uid=zera,ou=People,dc=angelsofclockwork,dc=net
member: uid=sithlord,ou=People,dc=angelsofclockwork,dc=net

Of course, this requires the memberOf overlay.

The memberOf overlay I used is below:

% vi modules.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof

% vi memberof.ldif

dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Best Answer

Related Solutions

Ldap – 389 Directory Server Administrative Limit Exceeded error

Centos – How to add ACIs to OpenLDAP properly

Related Topic