How to add rights to an user with olcAccess, in an OpenLDAP 2.4
The modifications you need to apply are simple, if you are using slapd.conf as the server configuration file, and a bit more complicated if you are using the new cn=config layout. Be careful, anyway, that:
The older style slapd.conf(5) file is still supported, but its use is deprecated and support for it will be withdrawn in a future OpenLDAP release.
as stated in the OpenLDAP documentation.
1) cn=config layout
You need to modify the configuration for the database you are using. Your OpenLDAP server may contain multiple databases, but you are interested only in the one that stores people data and their pictures. To list all your available databases, use:
slapcat -b cn=config
This command must be executed from the OpenLDAP server. It will read the file named cn=config.ldif in your slapd configuration directory. In my case, it is located in
/usr/local/etc/openldap/slapd.d/cn=config.ldif
Be careful that slapcat -b cn=config will work only if the shell user can read this file. In my case, the file is
-rw------- 1 ldap ldap 680 10 mar 21:04 /usr/local/etc/openldap/slapd.d/cn=config.ldif
It belongs to user ldap, group ldap (they have been created during the OpenLDAP server installation). I have never set a password for user ldap, so:
tl;dr a way to read this file and to successfully run slapcat -b cn=config is to be root.
The output of slapcat -b cn=config is huge, but you can consider the last lines only, where the database you are interested in is listed. For example, it could be
dn: olcDatabase={1}mdb,cn=config
This is, for example, the Distinguished Name (dn) of the database containing users pictures. You want to allow users to change their pictures.
You can modify the database configuration running (similarly to the previous case, you need write permissions on the file cn=config.ldif, so you could be root as before):
ldapmodify -f /path/to/yourfile -x -D "cn=config" -W
-
-f /path/to/yourfileis your configuration file (see below); -
-xis Simple Authentication, it is needed if you are not using SASL; -
-D "cn=config"is the username you are using to enter the OpenLDAP database. There is usually a super-user for each single database (frequently calledManager), and a global super-user. The user namedcn=configis the global super-user. You should have configured its password during the OpenLDAP server installation; if you don't have this password, you could be not able to modify the databases configuration; -
-Wasks you to type the password for the usercn=config.
The configuration file, located in /path/to/yourfile, must be a plain text file formatted as follows:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=jpegPhoto
by self write
by * read
I would suggest to you to prefer by self write instead of by self =xw (which would not permit users to read their pictures). Be careful to put two spaces before by, as stated in this answer.
You can now run again slapcat -b cn=config to check if the configuration has been modified, and also if the olcAccess statements are in the correct order. If not, you can delete them and add them again, knowing that each new olcAccess specification will be automatically put after the preceeding ones.
2) slapd.conf layout
If you are using the old slapd.conf configuration file, you simply need the write permissions to it. Usually it is:
-rw------- 1 ldap ldap 2557 Dec 15 2016 slapd.conf
So, you can open it as root, with your preferred text editor. Identify the database section you want to modify (for example the one beginning with:
database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
and simply add your lines at the bottom of this section, being careful if other access statements are already present. Again, I would suggest to use by self write instead of self =xw.
Regardless of your configuration, restart the OpenLDAP server (process slapd) after your modifications.
If you need further examples and/or clarifications, please consider:
- A
cn=configconfiguration example; - Access Control for OpenLDAP databases;
- the OpenLDAP site, with the whole documentation.
Related videos on Youtube
08 : 42
13 : 42
10 : 24
14 : 30
30 : 24
18 : 01
Srithovic
Updated on June 04, 2022Comments
-
Srithovic almost 2 years
I have an OpenLdap Server 2.4 running in my company and I need to permitt people to change their picture in one of our WebApplication. The function is already present. People in LDAP just don't have any rights to write their own attributes (specially here the "jpegPhoto" attribute needed).
I found this in the Documentation
access to attrs=jpegPhoto by self =xw by * readI don't know how to use theses lines. What command to use or something else.
If someone could help me in the way to process it could be great.
Thanks
-
BowPark almost 7 yearsYou would like to know the meaning of these lines, or you are sure they will work and you simply would like to add them to your database configuration?
-
Srithovic almost 7 yearsI understand these lines, I just don't know how to use them, with a command ? Add them to a file ? Which file ? I'm a bit lost
-
BowPark almost 7 yearsAre you using the old
slapd.conffile for server configuration, or the new configuration layoutcn=config?
-
