Open yehlo opened 5 years ago
Alright I got some updates regarding this issue.
This issue seems to be located somewhat deeper than expected. The aci attribute is not needed to edit permissions inside of openLDAP, you have to use olcAccess.
Through some guides I was able to create a working .ldif file. olcAcces Syntax: http://www.zytrax.com/books/ldap/ch6/ More on olcAccess: http://www.mariakathryn.net/Blog/54 ldifFiles: https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=leuber,dc=ch" write
by anonymous auth
by * none
olcAccess: {1}to *
by self read
by dn="cn=admin,dc=leuber,dc=ch" write
by * none
olcAccess: {3}to *
by * manage
I apply this file through ldapmodify:
docker exec openldap ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/olcAccess.
The line
olcAccess: {3}to *
by * manage
Should give all users from my organization access to everything. I can successfully apply this configuration.
Through ldapsearch I tried to verify if it was set.
docker exec openldap ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}mdb'
Which returns (its a bit unreadable, but you can spot the needed lines)
olcAccess: {0}to attrs=userPassword,shadowLastChange by self
write by dn="cn=admin,dc=leuber,dc=ch"
write by anonymous auth
by * none
olcAccess: {1}to * by self read
by dn="cn=admin,dc=leuber,dc=ch" write by *
none
olcAccess: {2}to * by * manage
I then did a ldapsearch querry with a user:
docker exec openldap ldapsearch -D "cn=gitlab,ou=Users,dc=leuber,dc=ch" -b "dc=leuber,dc=ch" -w pw
Which returned
# extended LDIF
#
# LDAPv3
# base <dc=leuber,dc=ch> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Since it seemed to be inpossible through ldapmodify I added the file on boot through the directory:
/container/service/slapd/assets/config/bootstrap/ldif/custom
This just resulted in the container endless booting.
I will now investigate why the container stopped working after I loaded the file on boot and can hopefully spot the error.
Altough I presume that the ldif file is working and that there is an other error.
closed on accident, reopened
Because
olcAccess: {1}to *
by self read
by dn="cn=admin,dc=leuber,dc=ch" write
by * none
has a higher priority than
olcAccess: {2}to * by * manage
try this:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to *
by * manage
olcAccess: {1}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=leuber,dc=ch" write
by anonymous auth
by * none
olcAccess: {2}to *
by self read
by dn="cn=admin,dc=leuber,dc=ch" write
by * none
It looks like aci:
attributes are not a thing in OpenLDAP like they are in OpenDJ, SunLDAP, etc.
Hey
My experience with docker and openldap is limited, maybe I just missed something. I've managed to create my own docker-compose file and added an ou with some users.
Situation
I plan to use the users for other services like gitlab and added a respective user. This user does not have the needed access rights to read the needed attributes from users.
Googling around I saw that I needed to do this through ldap aci.
aci ldif file contents:
changetype: modify replace: aci aci: (target="ldap://*,ou=Users,dc=leuber,dc=ch") (version 3.0; acl "give gitlab user permissions to read";allow(read, search) userdn="ldap://cn=gitlab,ou=Users,dc=leuber,dc=ch";)
edit: I have also tried modeadd: aci
no changesRunning this command with ldapmodify returns:
ldap_modify: Undefined attribute type (17) additional info: aci: attribute type undefined
As it says: aci attribute type undefined.
Problem
I googled on how to add the type to my schema and found out it has to be added on compilation. https://www.openldap.org/faq/data/cache/634.html
It does not seem to be possible to add the aci attribute after compilation. Looking at different DockerFiles I found the following which seems to add the needed aci attribute. https://github.com/timhawes/docker-openldap/blob/master/Dockerfile
22 --enable-aci \
Question
To further analyse this problem I wanted to ask a few questoins:
I guess I could probably just use the existing DockerFile and append the needed parameter. But I thought opening an issue would help other people aswell.
Thanks in advance for any help on this topic Best Regards Yehlo
Edit1: Edited title so other people could find this threat and hopefully find necessary information on their problem or contribute to my issue.