4

I am using LAM as an interface for openLDAP.

I am able to log in using the admin account I created in the config, but I am looking to allow other users to log in.

To this end, I am trying to create ACL's to permit a group (or even individuals!) to admin the ldap.

My current config is:

{0}to *  by * break
{1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
{2}to * by dn.exact=uid=<user>,ou=People,dc=<mysite>,dc=com manage by * break

When I try, I simply get:

Was unable to add attributes to DN: uid=<user>,ou=People,dc=<mysite>,dc=com.
LDAP error, server says: Insufficient access - Insufficient access

I can log in and see the data, but I am unable to implement changes. Shouldn't the manage allow me to?

Additional:

I have set the openLDAP to use the olc as opposed to the slapd.conf.

I am accessing a php interface (LDAP Account Manager Pro) which I bind using the diradmin, but I want to allow a limited set of users (admin) to bind using their own credentials and still have manage permissions to everything in the ldap (not the cn=config).

Doing slapcat -b cn=config returns:

5d499450 could not open config file "/etc/openldap/slapd.conf": Permission denied (13) slapcat: bad configuration file!

But this file doesn't exist right now, so I'd expect this, right?

James Korden
  • 724
  • 4
  • 19
  • So obviously there is something wrong with your file. Off topic. – user207421 Mar 08 '19 at 16:58
  • Is your directory configured via slapd.conf file or slapd.config utility ? Please be more specific with "allow other users to login" and "allow individuals to admin the ldap" (is this *other users* VS *individuals* or is is the same set ?) Specify the command used 1. for modifying the configuration (if using slapd.config) and 2. for testing auth and manage permissions. Also, we don't know in which context these directives should be applied, is this global or backend-specific ? – EricLavault Aug 04 '19 at 10:30
  • With "global vs backend-specific" I mean should these directives also apply to the config itself (allowing *individuals* to modify access policy which is not secure) ? or to a specific backend or to a specific database ? It's not that much important but since global directives are inherited... (3 directives alone are not enough, please add all "access to" directives grepped from `slapcat -b cn=config` or add details from slapd.conf file). – EricLavault Aug 04 '19 at 10:41
  • Using OLC, the error message should also mention something like `slapd.d//cn=config/olcDatabase*.ldif: No such file or directory`, right ? If slapd cannot even load the proper config and you are sure to have set the proper "chmod" flags, that may be explained by SELinux running on your machine, in which case you can put it into permissive mode, time to set the correct rules. – EricLavault Aug 08 '19 at 09:59

0 Answers0