Howto set access control lists ACLs in OpenLDAP
Solution 1
From Debian Wiki:
Since version 2.4.23-3 the configuration of OpenLDAP has been changed to /etc/ldap/slapd.d by default.
So, OpenLDAP allow to configure itself dynamically through 'cn=config' tree.
You can list DN in cn=config and see something like this:
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config dn
...
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
...
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}hdb'
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=nodomain" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=nodomain" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=nodomain
olcRootPW: {SSHA}_skip_
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
Attribute olcAccess is what you need.
Let's add new ACL rules to database dc=nodomain.
Create a ldif-file
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.base="cn=test,dc=nodomain" by * read
Apply:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/test.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
Voilà:
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}hdb'
...
olcAccess: {3}to dn.base="cn=test,dc=nodomain" by * read
Solution 2
Procedure is very similar to procedure of changing password that I described in another question.
There are also two ways.
1) Editing config file. You need to find config file of your backend. Each ACL is defined as value of olcAccess attribute. Syntax of ACL is identical as in "normal" slapd.conf file, but at the beginning of each ACL you must insert number that define "position" of ACL in ACL queue to check.
Example ACL entry looks like that:
olcAccess: {0}to * by anonymous write
2) Second way: using config database. If config database is enabled you could biind to it using LDAP client and edit olcAccess values for each backend.
Solution 3
The entire contents of slapd.d is concatenated together at runtime to generate a sort of pseudo slapd.conf file (that description isn't entirely exactly accurate, but I'm more trying to get the concept across). This is a common practice in Debian, and personally in many cases I highly prefer it.
Create a new file inside of slapd.d named acl (or similar, you will want to include a numbered prefix if other files have it) and put your ACL entries in there then restart slapd.
That should do it.* But be warned, that slapd's ACL structure can be difficult for the uninitiated. It's easy to do the wrong and/or unintended thing.
*Provided there aren't any sequence limitations (I don't know slapd that well, so you're on your own for that).
Solution 4
I'm not saying this is a solution but it might help you on your way :-)
I asked a similar question of serverfault.
https://serverfault.com/questions/246252/openldap-rhel-6
I never got an answer , in the end I had to create a slapd.conf and convert it to the slapd dir using the following commands ( note this was on RHEL)
Remove the contents of the /etc/openldap/slapd.d/ directory:
rm -rf /etc/openldap/slapd.d/*
Edit your custom slapd.conf file.
Run slaptest to check the validity of the configuration file and create a new slapd.d directory with your settings
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
Configure permissions on the new directory so ldap doesnt moan.
chown -R ldap:ldap /etc/openldap/slapd.d
chmod -R 000 /etc/openldap/slapd.d
chmod -R u+rwX /etc/openldap/slapd.d
the start up your LDAP server.
I created a small script to run these commands every time I made a change to slapd.conf
Regards Andy
Solution 5
Create user whatever you want:
# vim ro_user_desc.ldif
dn: cn=ro_admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: {SSHA}o3pSzVM3HXqUY6R2VHGJkJEWlwLOUH1N
userPassword hash you can get from slappasswd -s your_plaintext_pass.
Create this user:
# ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ro_user_desc.ldif
Assign needed role for it:
# vim ro_access.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.base="dc=example,dc=com" by dn.exact="cn=ro_admin,dc=example,dc=com" read
We enabled list(read only) access to tree full tree dc=example,dc=com for user created above. Correct address of dn: olcDatabase={1}mdb,cn=config better to find using @sOliver answer. But keep in mind that this example for MDB OpenLdap base in cases of HDB etc it could vary.
Finally apply it:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ro_access.ldif
Related videos on Youtube
08 : 23
17 : 41
14 : 32
04 : 29
14 : 30
Gilles 'SO- stop being evil'
Updated on September 18, 2022Comments
-
Gilles 'SO- stop being evil' almost 2 years
I'm using the Debian Squeeze OpenLDAP. Where can I set ACLs? Isn't it possible to execute the access to directives with
ldapmodify? There's noslapd.conffile in Debian, they use aslapd.dfolder -
burakkilinc about 12 yearsThis is completely false for OpenLDAP. slapd.d is an ldif file based ldap database.
-
bahamat about 12 years@JeffStrunk Ah yes, that's different than I had expected :-(
