I have been stuck on trying to allow openLDAP users that are in a certain group (EX: cn=Admins,dc=mydomain,dc=com) to create, modify, update, and delete users that are in another organizationalUnit (EX: ou=Users,dc=mydomain,dc=com) for about two weeks now. I have done everything in my power to try to figure this out. Such as searching through Google, searching through serverfault, and finally searching through stackoverflow but to no avail. I am fairly new to openLDAP and it is probably an error and/or something that I am overlooking with the olcAccess attribute in the dn: olcDatabase={1}hdb,cn=config.
Admin Group.ldif
dn: cn=Admins,dc=ldapserver,dc=com
changetype: add
objectClass: groupOfNames
objectClass: top
member: cn=admin,ou=Users,dc=ldapserver,dc=com
cn: Admins
Users.ldif
dn: ou=Users,dc=ldapserver,dc=com
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: Users
Default olcAccess
Note: This is the default ACLs that come with a fresh install of openLDAP server.
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
Please Note 1: Because I am fairly new to openLDAP I have not set any other ACLs other than the ones that come defaultly when you first install the openLDAP server.
Please Note 2: Before I Asked my question I tried this question here which obviously has not worked for me.
Thanks,
Alex
Best Answer
The ACLs, in openldap, is always evaluated from top to bottom of the list of lines numbered {0}, {1},..As soon as a condition is met, evaluation is immediately stopped (assuming break not used).
In default ACLs set by Ubuntu and compliant there is the line:
olcAccess: {2}to * by * read
to * by *: met everything, adding lines after has no effect at all.
The solution discussed on this link and above should solve your problem, I suggest you try this ACL list:
and change the objectClass of the admins group to groupOfUniqueNames.