[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

openldap acl question

I've been trying to get openldap set up for unified auth between all of the
systems.  Having worked with directories before most of the setup was actually
rather easy but then I came to the OpenLDAP acl system and have been
thoroughly confused.  If anyone could make some comments or thoughts on 
what I'm misinterpreting here that would be wonderful.  

what I'm trying to do:
3 branches on my ldap tree off of the root DN, one for computers, one for 
system administration people and one for the users (there will eventually
be several branches under this but for now I'm attempting to keep it simple
thus all the users are directly in the users branch).  I want the users in
the admin branch to be able to access and change anything except other users
in the admin branch (this will be reserved for the manager user only).  I
want the machine accounts to be able to authenticate users and gather user
data but not see anything else in the machine or admin branches.  Lastly
I would like the users to not be able to log into the directory (directly)
or be able to see any of thier info.  Users can not change thier own 
passwords, but certain machines can change users passwords.  

access to dn.subtree="ou=useracct,dc=testauth,dc=mbfc"
        attrs=entry
        by dn="cn=sleepy,ou=computer,dc=testauth,dc=mbfc" write
        by dn="cn=doc,ou=computer,dc=testauth,dc=mbfc" read
        by dn="cn=gimli,ou=computer,dc=testauth,dc=mbfc" read
        by dn.subtree="ou=Admin,dc=testauth,dc=mbfc" write
        by * none

access to dn.subtree="ou=useracct,dc=testauth,dc=mbfc"
        attrs=cn,uid,objectClass,loginShell,uidNumber,GidNumber,homeDirectory
        by dn="cn=sleepy,ou=computer,dc=testauth,dc=mbfc" write
        by dn="cn=doc,ou=computer,dc=testauth,dc=mbfc" read
        by dn="cn=gimli,ou=computer,dc=testauth,dc=mbfc" read
        by dn.subtree="ou=Admin,dc=testauth,dc=mbfc" write
        by * none

access to dn.subtree="ou=useracct,dc=testauth,dc=mbfc"
        attrs=shadowLastChange,shadowMax,shadowWarning,gecos
        by dn="cn=sleepy,ou=computer,dc=testauth,dc=mbfc" write
        by dn="cn=doc,ou=computer,dc=testauth,dc=mbfc" write
        by dn="cn=gimli,ou=computer,dc=testauth,dc=mbfc" write
        by dn.subtree="ou=Admin,dc=testauth,dc=mbfc" write
        by * none

access to dn.subtree="ou=useracct,dc=testauth,dc=mbfc"
        attrs=userPassword
        by dn="cn=sleepy,ou=computer,dc=testauth,dc=mbfc" write
        by dn="cn=doc,ou=computer,dc=testauth,dc=mbfc" compare
        by dn="cn=gimli,ou=computer,dc=testauth,dc=mbfc" compare
        by dn.subtree="ou=Admin,dc=testauth,dc=mbfc" write
        by * none

access to dn.subtree="ou=computer,dc=testauth,dc=mbfc"
        by dn.subtree="ou=Admin,dc=testauth,dc=mbfc"
        by self read
        by anonymous auth
        by * none

access to dn.subtree="ou=Admin,dc=testauth,dc=mbfc"
        by self write
        by anonymous auth
        by * none


The end result is that the machine and admin accounts can see the right 
structure but when I click on a user account with gq it errors out badly 
with a complaint about not being able to contact the schema server. Also
doing ldapsearch's nothing is returned.  I believe I need an acl to allow
for those accounts to see the schema behind the entries.  Any help or 
comments on this would be greatly appreciated. 

Bob T. Kat

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.