Trouble with ACL's - Githubissues

adambom commented 8 years ago

This may be a noob question, but I'm having the darndest time figuring out how to get read-only access working for users. My understanding is that this should be the default, but after I create a user, I'm unable to view any of the entries. Everything works as expected when I used the admin user. All my settings are vanilla.

Here's a dump of my ldif:

# LDIF Export for dc=example,dc=com
# Server: ldap.default.svc.cluster.local (ldap.default.svc.cluster.local)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 7
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on October 14, 2016 9:47 pm
# Version: 1.2.3

version: 1

# Entry 1: dc=example,dc=com
dn: dc=example,dc=com
dc: example
o: Example, Inc.
objectclass: top
objectclass: dcObject
objectclass: organization

# Entry 2: cn=admin,dc=example,dc=com
dn: cn=admin,dc=example,dc=com
cn: admin
description: LDAP administrator
objectclass: simpleSecurityObject
objectclass: organizationalRole
userpassword: {SSHA}3bBNNeG/iD21SXmifcP4Mn/6225uLmN8

# Entry 3: ou=groups,dc=example,dc=com
dn: ou=groups,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups

# Entry 4: cn=users,ou=groups,dc=example,dc=com
dn: cn=users,ou=groups,dc=example,dc=com
cn: users
gidnumber: 500
objectclass: posixGroup
objectclass: top

# Entry 5: ou=users,dc=example,dc=com
dn: ou=users,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users

# Entry 6: cn=adambom,ou=users,dc=example,dc=com
dn: cn=adambom,ou=users,dc=example,dc=com
cn: adambom
gidnumber: 500
givenname: Adam
homedirectory: /home/users/adambom
loginshell: /bin/sh
mail: adambom@example.com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Savitzky
uid: adambom
uidnumber: 1001
userpassword: <password>

olegbakhirev commented 7 years ago

All my attempts to use ldapmodify with add of oclAccess control records failed. E.g ldapmodify -H ldap://somehost.net:389 -x -D "cn=admin,dc=example,dc=org" -w admin -f /tmp/ldap.ldif -v

ldap.ldif

dn: olcDatabase={1}hdb,cn=config

changetype: modify

delete olcAccess: {0}

delete olcAccess: {1}

add: olcAccess

olcAccess: to *  by self write  by users read

ldapmodify just return modifying entry "olcDatabase={1}hdb,cn=config" modify complete

But can't see any new olcAccess added to /etc/ldap/spad.d/cn=config/olcDatabse={1}hdb.ldif Only two default olc are there

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn
 =admin,dc=example,dc=org" write by anonymous auth by * none
olcAccess: {1}to * by self write by dn="cn=admin,dc=example,dc=org" write by
  * none

pilla commented 7 years ago

I was able to change permissions using this one-liner inside the container:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f ldif

Where ldif is the file with the required modifications. Mine where:

changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth 
   by dn="cn=admin,dc=example,dc=org" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=example,dc=org" write by * read

My problem is a bit more subtle. How can I make this modification during setup time? I have tried putting it in the bootstrap together with my remaining ldif files, but it does not work. I suppose that the invocation of ldapmodify is different during setup time.

wernerb commented 7 years ago

I was banging my head on this for hours...

I used this ldif:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=vault-challenge,dc=com" write by anonymous auth by * read
olcAccess: to * by self write by dn="cn=admin,dc=vault-challenge,dc=com" write by * read

And executing with

$ ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f bla

This was a huge pain.

cutec-chris commented 5 years ago

I get always an ldap_modify: No such object (32) matched DN: cn=config to this :(

yehlo commented 5 years ago

@cutec-chris Can you supply your .ldif file?

Also watch out what kind of db you have. This thread is using the old version which still pointed to hdb files. In the readme.md needed information corresponding to this can be found.

I am able to edit my olcDatabase={1}mdb,cn=config successfully. Interestingly enough it does not care about my edits.

I even added the line to * by * manage

If I then do some ldap querries trhough ldapsearch i just get

# extended LDIF
#
# LDAPv3
# base <given base> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

I hope we can find a solution for both of our problems.

Edit: Edited markdown

eMPee584 commented 5 years ago

This file uses {{ LDAP_BACKEND }} to be generic, worked for me: https://devlab.vbi.vt.edu/dixonj16/dockerized-sufia/raw/master/docker/ldap/bootstrap/ldif/10_security.ldif

osixia / docker-openldap

Trouble with ACL's #82