2

I am running openldap is 2.4.40 and have applied following ACL:

 olcAccess: {0}to * by self write by dn="cn=Manager,dc=sample,dc=com" write by * read olcAccess: {1}to dn.children="ou=sysUsers,dc=sample,dc=com" attrs=userPassword,shadowLastChange,description,sshPublicKey by self write by dn="cn=Manager,dc=sample,dc=com" write by anonymous auth by * none

I want to change the userPassword, shadowLastChange, description, sshPublicKey by user(sysUsers). But its giving me permission error, Doesn't write permission.

 # slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com' authcDN: "" entry: read(=rscxd) children: read(=rscxd) gidNumber=1000: read(=rscxd) homeDirectory=/home/user1: read(=rscxd)   : cn=user1: read(=rscxd) sshPublicKey=ssh-rsa AAAAB3Nza…cGWliPbw== [email protected]: read(=rscxd) userPassword=****: read(=rscxd) description=test user1: read(=rscxd)   : modifyTimestamp=20161025074434Z: read(=rscxd) 
 LDAP reponse: Insufficient access error number: 0x32 (LDAP_INSUFFICIENT_ACCESS) description: You do not have sufficient permissions to perform that operation.

I tried modifying description by user uid=user1,ou=sysUsers,dc=sample,dc=com, but failed.

uid=Manager,ou=sysUsers,dc=sample,dc=com is able to modify though.

what am I doing wrong? I suspect ACL problem?

Improve this question

2 Answers 2

Reset to default
3 
olcAccess: {0}to * by self write by dn="cn=Manager,dc=sample,dc=com" write by * read olcAccess: {1}to dn.children="ou=sysUsers,dc=sample,dc=com" attrs=userPassword,shadowLastChange,description,sshPublicKey by self write by dn="cn=Manager,dc=sample,dc=com" write by anonymous auth by * none

First of all the ACL sequence you have given is not correct, In this case everything will be matched to first directive as it has "*" in , Which matches everything, and it will never go to the second rule of ACL.

Second, The command you have used to check the ACL permissions is incorrect, You have used:

slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com'

Which is incorrect -D is the DN whose permissions are to be checked and -b is baseDN to which permissions is to be checked.

So correct command should be check self permissions:

slapacl -D 'uid=user1,ou=sysUsers,dc=sample,dc=com' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com'

EDIT AFTER YOUR FINDINGS: The ACL you had applied was for dn:olcDatabase={0}config,cn=config whereas it should be applied for Database DN dn:olcDatabase={2}bdb,cn=config

What I am pretty sure you are trying to do is change the description of DN:"uid=Manager,ou=sysUsers,dc=sample,dc=com" which ofcourse according to ACL any other won't be able to do except DN:"uid=Manager,ou=sysUsers,dc=sample,dc=com" itself or DN:"cn=Manager,dc=sample,dc=com".

Hope this helps! Please support the answer by marking it as helped or answered if it did.

Improve this answer
0

to. Anirudh Malhotra thanks replied.

i tried change ALC.

 [root@evolable-ldap-01 cn=config]# cat olcDatabase\=\{0\}config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 57182ee5 dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=config olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig entryUUID: af419f18-0036-1035-8ba5-452a6aebab7f creatorsName: cn=config createTimestamp: 20151006052730Z olcAccess: {0}to dn.children="ou=sysUsers,dc=evolableasia,dc=net" attrs=userPassword,shadowLastChange,description,sshPublicKey by dn="uid=user1,ou=sysUsers,dc=sample,dc=com" write by self write by dn="cn=Manager,dc=sample,dc=com" write by * none olcAccess: {1}to * by self write by dn="cn=Manager,dc=sample,dc=com" write by anonymous auth by * read entryCSN: 20161026004145.362887Z#000000#000#000000 modifiersName: cn=manager,dc=sample,dc=com modifyTimestamp: 20161026004145Z

But, slapacl is not changed.

 # slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com' authcDN: "uid=user1,ou=sysusers,dc=sample,dc=com" entry: read(=rscxd) children: read(=rscxd) gidNumber=1000: read(=rscxd) homeDirectory=/home/user1: read(=rscxd)   : cn=user1: read(=rscxd) sshPublicKey=ssh-rsa AAAAB3Nza…cGWliPbw== [email protected]: read(=rscxd) userPassword=****: read(=rscxd) description=test user1: read(=rscxd)   : modifyTimestamp=20161025074434Z: read(=rscxd)
Improve this answer
9
  • I see you are new to stackexchange, Please use comments to ask counter queries. All the answers are written here. Now as far as your question is concerned, as I answered in my reply above You are using slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com' to see user ACL which is incorrect. Instead correct usage is slapacl -D 'uid=user1,ou=sysUsers,dc=sample,dc=com' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com', Please post the output of this! Commented Oct 26, 2016 at 4:02
  • slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com' and slapacl -D 'uid=user1,ou=sysUsers,dc=sample,dc=com' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com' result same except authcDN Commented Oct 26, 2016 at 6:56
  • Can you please update the updated output of both in question. Also I see you are editing your outputs. Please do not add anything, If you want to edit thats ok but do not add anything because that is going to stop us from getting to the bottom of this. Also your outputs of slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com' in question and your answer above differ. That is why I am saying that do not edit(add anything) your answers, otherwise you will be left with no solution and I won't care! Commented Oct 26, 2016 at 7:05
  • # diff aaa.txt bbb.txt 1c1 < authcDN: "" --- > authcDN: "uid=user1,ou=sysusers,dc=sample,dc=com" Commented Oct 26, 2016 at 11:45
  • aaa.txt is slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com' and bbb.txt is slapacl -D 'uid=user1,ou=sysUsers,dc=sample,dc=com' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com' Commented Oct 26, 2016 at 11:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.