openldap dá acesso de escrita de grupo à subárvore

1

Eu tenho

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

e grupo de administradores para ele:

dn: cn=people-admins,ou=groups,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: admins of people group
uniqueMember: uid=admin1,ou=people,dc=example,dc=com

e adiciono essas regras para permitir people-admins adicionar / excluir / modificar usuários em people groups

dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=example,dc=com" write by anonymous auth by * none
olcAccess: to dn.one="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to dn.base="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to dn.children="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to dn.subtree="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to * by self write by dn="cn=admin,dc=example,dc=com" write by * none

depois, tento adicionar um novo usuário ao grupo people usando credenciais de admin1, e entendi:

ldapadd -x -H ldap://127.0.0.1:3000/  -D "uid=admin1,ou=people,dc=example,dc=com" -W
dn: uid=test1,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
uid: test1
sn: test
givenName: test1
cn: test test1
displayName: Test1
userPassword: test1
adding new entry "uid=test1,ou=people,dc=example,dc=com"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

Aqui uma questão semelhante, mas recebe resposta errada, porque dn.entry não existe no openldap.

    
por fghj 15.04.2016 / 12:03

2 respostas

2

O problema foi que group.exact não funciona com groupOfUniqueNames . Eu resolvi isso alterando esta regra:

by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write

para esta regra:

by group/groupOfUniqueNames/uniqueMember=cn=people-admins,ou=groups,dc=example,dc=com write
    
por 15.04.2016 / 19:21
1

Se você está apenas começando, recomendo mudar para groupOfNames em vez de groupOfUniqueNames .

A maioria dos sistemas que interagem com o OpenLDAP para membros do grupo esperam groupOfNames por padrão, incluindo o próprio OpenLDAP. Enquanto eles geralmente podem ser modificados para usar groupOfUniqueNames / uniqueMember (por exemplo, sssd-ldap ldap_group_member ou o seu próprio usar no olcAccess do OpenLDAP), isso evitará que você precise ajustar os padrões.

Existem diferenças entre distinguishedNameMatch , usado por member e uniqueMemberMatch usado por uniqueMember , mas o primeiro geralmente é suficiente.

$ ldapadd <<EOF
dn: cn=testgroup,ou=groups,dc=example,dc=com
> objectclass: groupofnames
> member: uid=testuser,ou=people,dc=example,dc=com
> member: uid=testuser,ou=people,dc=example,dc=com
> EOF
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
adding new entry "cn=testgroup,ou=groups,dc=example,dc=com"
ldap_add: Type or value exists (20)
    additional info: member: value #0 provided more than once



$ ldapsearch cn=testgroup
dn: cn=testgroup,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: posixGroup
cn: testgroup
gidNumber: 12345
member: uid=testuser,ou=people,dc=example,dc=com

$ ldapmodify <<EOF
dn: cn=testgroup,ou=groups,dc=example,dc=com
add: member
member: uid=testuser,ou=people,dc=example,dc=com
EOF

SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
modifying entry "cn=testgroup,ou=groups,dc=example,dc=com"
ldap_modify: Type or value exists (20)
    additional info: modify/add: member: value #0 already exists
    
por 16.04.2016 / 01:25