0

I have the following LDIF file to create ldapadmins.

dn: ou=Manager,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: Manager

dn: ou=Customers,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: Customers

dn: cn=customerAccountAdmin,ou=Manager,dc=example,dc=org
cn: customerAccountAdmin
objectClass: organizationalRole
objectClass: simpleSecurityObject
objectClass: top
userPassword: {SSHA}*removed*

dn: ou=Users,ou=Customers,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: Users

dn: ou=Groups,ou=Customers,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: Groups

I created the following ldif to allow multiple admins for phpldap admin. (they will manage multiple customers)

dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=example,dc=org" write by anonymous auth by * none
olcAccess: {1}to * by self read by dn="cn=admin,dc=example,dc=org" write by * none
olcAccess: {2}to * by dn.base="cn=customerAccountAdmin,ou=Manager,dc=example,dc=org" write

Afer logging in to the phpldap admin the customerAccountAdmin cannot see the tree. but from the ALC view it should have every permission.

Do i miss something? Is it easier way to achieve this?

Pakhulu222
  • 1
  • 1

1 Answers1

0

Your problem comes from the order in which the access directives are evaluated:

Within this priority, access directives are examined in the order in which they appear in the config file. Slapd stops with the first <what> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.

(cf. Access Control Evaluation). That means that your second to * directive is never evaluated and the first one applies to all entries.

You should modify the access rules to look like:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange
  by self write
  by dn="cn=admin,dc=example,dc=org" write
  by anonymous auth
  by * none
olcAccess: to *
  by self read
  by dn="cn=admin,dc=example,dc=org" write
  by dn.base="cn=customerAccountAdmin,ou=Manager,dc=example,dc=org" write
  by * none

An alternative (which combines with your previous question) is to create a cn=Administrators,dc=example,dc=org group and give write access to everything to the members of this group:

dn: cn=Administrators,dc=example,dc=org
changetype: add
cn: Administrators
objectClass: groupOfNames
member: cn=customerAccountAdmin,ou=Manager,dc=example,dc=org
member: cn=admin,dc=example,dc=org

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.exact="cn=Administrators,dc=example,dc=org"
  by dn.exact="cn=admin,dc=example,dc=org" write
  by * none
olcAccess: to attrs=userPassword,shadowLastChange
  by self write
  by group.exact="cn=Administrators,dc=example,dc=org" write
  by anonymous auth
  by * none
olcAccess: to *
  by self read
  by group.exact="cn=Administrators,dc=example,dc=org" write
  by * none

EDIT: Worth mentioning, it is important that you use replace: olcAccess or delete before adding if you're still using the default olcAccess. add: olcAccess without removing the default olcAccess does not work since it won't override it.

Izaac Brånn
  • 3
  • 2
Piotr P. Karwasz
  • 5,748
  • 2
  • 11
  • 21