I've created simple tree:
dn: ou=groups,dc=itzone,dc=pl
objectclass: top
objectclass: organizationalUnit
ou: groups
dn: ou=users,dc=itzone,dc=pl
objectclass: top
objectclass: organizationalUnit
ou: users
# billy, itzone.pl
dn: cn=billy,ou=users,dc=itzone,dc=pl
uid: billy
cn: billy
sn: 3
objectClass: top
objectclass: person
objectclass: organizationalPerson
objectClass: inetOrgPerson
userPassword: admin
dn: cn=developers,ou=groups,dc=itzone,dc=pl
objectclass: top
objectclass: groupOfUniqueNames
cn: developers
ou: developer
uniqueMember: cn=billy,ou=users,dc=itzone,dc=pl
uniqueMember: cn=admin,dc=itzone,dc=pl
Now I want to search base dn
I can search base dn with admin account
ldapsearch -x -H ldap://$OPENLDAP_HOST -b dc=itzone,dc=pl -D "cn=admin,dc=itzone,dc=pl"
I can not do it with billy account
ldapsearch -x -H ldap://$OPENLDAP_HOST -b dc=itzone,dc=pl -D "cn=billy,ou=users,dc=itzone,dc=pl"
I I get error 32.
I think it is because of acl.
My question is:
How I can add acl to search base dn using billy account.
Thank you for your help.
actually found what to fix (it's the listing for default ACLs)
[root@] ldapsearch -H ldapi:// -Y EXTERNAL -LLL -Q -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=a
dmin,dc=example,dc=org" write by anonymous auth by * none
olcAccess: {1}to * by self read by dn="cn=admin,dc=example,dc=org" write by *
none
to * by self read by dn="cn=admin,dc=example,dc=org" write by * noneto * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none[root@] ldapmodify -H ldapi:// -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by * none
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none
modifying entry "olcDatabase={1}mdb,cn=config"
I've tried @phi1ipp solution but I still cannot search base DN (get a 32 error "No such object").
Anyone else has an idea on how to configure OpenLDAP for this use case ?
How do you run your search? And can you verify what your ACL does look like?
Damn... I should have checked my ACL first before adding the scripts.
The original ACL I had was a bit different than yours so the delete was not executed even though the add was.
My original ACL had self write:
olcAccess: to * by self write by dn="cn=admin,dc=ldap,dc=company,dc=com" write by * none
While the delete I executed based on your example had self read:
olcAccess: to * by self read by dn="cn=admin,dc=ldap,dc=company,dc=com" write by * none
After deleting the proper ACL, worked fine 馃憤
ldapsearch -x -H ldapi:// -b ou=People,dc=ldap,dc=company,dc=com -D "uid=demo,ou=People,dc=ldap,dc=company,dc=com" -w demopassword
# extended LDIF
#
# LDAPv3
...
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
Yay, glad it worked for you :)
actually found what to fix (it's the listing for default ACLs)
[root@] ldapsearch -H ldapi:// -Y EXTERNAL -LLL -Q -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=a dmin,dc=example,dc=org" write by anonymous auth by * none olcAccess: {1}to * by self read by dn="cn=admin,dc=example,dc=org" write by * none
- remove acl
to * by self read by dn="cn=admin,dc=example,dc=org" write by * none- add acl
to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none[root@] ldapmodify -H ldapi:// -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={1}mdb,cn=config changetype: modify delete: olcAccess olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by * none dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcAccess olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none modifying entry "olcDatabase={1}mdb,cn=config"How does it work in docker. I don't understand the process.Is this all a command?
Yes, you need either to connect to the docker to run those commands manually, or to put them into a docker script.
From a command line you run
[root@] ldapmodify -H ldapi:// -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
and provide it with the input
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by * none
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none
Yes, you need either to connect to the docker to run those commands manually, or to put them into a docker script.
From a command line you run
[root@] ldapmodify -H ldapi:// -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0and provide it with the input
dn: olcDatabase={1}mdb,cn=config changetype: modify delete: olcAccess olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by * none dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcAccess olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none
I don't understand the argu -Y EXTERNAL. Does't it need a password?
If I use -D "cn=config" -w config,I got "ldap_bind: Invalid credentials (49)". I tried "cn=admin", "cn=admin,cn=config".It all failed.
It worked when I use -Y EXTERNAL,but I don't konw why.
Hope for a reply.
ldap:// -Y EXTERNAL uses your OS uid/gid. You can read more in openldap admin guide, section 15.2.4
docker exec -it containerNameReplaceMe ldapmodify -H ldapi:// -Y EXTERNAL
Most helpful comment
actually found what to fix (it's the listing for default ACLs)
to * by self read by dn="cn=admin,dc=example,dc=org" write by * noneto * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none