[Systems] LDAP access rights

[Sascha Silbe]

Excerpts from Bernie Innocenti's message of Fri Sep 10 22:17:59 +0200 2010:

> ACLs are obfuscated by the crap ldif format, but they are right there
> in /etc/ldap/slapd.d/cn=config/olcDatabase\=\{1\}hdb.ldif

D'oh, I forgot to adjust the find parameters when searching the config
database. I now got it to work. To change the configuration, I used:

ldapvi -D cn=admin,cn=config -b cn=config

with the sunjammer root password. Feel free to add this to some wiki
page. ;)


>  olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by self write by * none
>  olcAccess: {1}to dn.base="" by * read by anonymous read
>  olcAccess: {2}to * by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by * read by anonymous read

I added the following rule between the old {0} and {1}:


olcAccess: {1}to attrs=tls-public-key by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by self manage by * none


To modify the key, I used

ldapvi -D uid=silbe,ou=People,dc=sugarlabs,dc=org -b uid=silbe,ou=People,dc=sugarlabs,dc=org

with my user password. Only "simple" authentication works, SASL fails:

ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database

Maybe the password change problem has the same root cause? The error
message from passwd is:

passwd: Authentication information cannot be recovered


Sascha

-- 
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
Url : http://lists.sugarlabs.org/private/systems/attachments/20100911/42abe570/attachment.pgp