Docker-openldap: Simple ACL

Created on 27 Jan 2019  路  10Comments  路  Source: osixia/docker-openldap

I've created simple tree:

dn: ou=groups,dc=itzone,dc=pl
objectclass: top
objectclass: organizationalUnit
ou: groups

dn: ou=users,dc=itzone,dc=pl
objectclass: top
objectclass: organizationalUnit
ou: users

# billy, itzone.pl
dn: cn=billy,ou=users,dc=itzone,dc=pl
uid: billy
cn: billy
sn: 3
objectClass: top
objectclass: person
objectclass: organizationalPerson
objectClass: inetOrgPerson
userPassword: admin

dn: cn=developers,ou=groups,dc=itzone,dc=pl
objectclass: top
objectclass: groupOfUniqueNames
cn: developers
ou: developer
uniqueMember: cn=billy,ou=users,dc=itzone,dc=pl
uniqueMember: cn=admin,dc=itzone,dc=pl


Now I want to search base dn

I can search base dn with admin account

ldapsearch -x -H ldap://$OPENLDAP_HOST -b dc=itzone,dc=pl -D "cn=admin,dc=itzone,dc=pl"

I can not do it with billy account

ldapsearch -x -H ldap://$OPENLDAP_HOST -b dc=itzone,dc=pl -D "cn=billy,ou=users,dc=itzone,dc=pl"

I I get error 32.

I think it is because of acl.

My question is:

How I can add acl to search base dn using billy account.

Thank you for your help.

question

Most helpful comment

actually found what to fix (it's the listing for default ACLs)

[root@] ldapsearch -H ldapi:// -Y EXTERNAL -LLL -Q -b 'olcDatabase={1}mdb,cn=config'  -s base olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=a
 dmin,dc=example,dc=org" write by anonymous auth by * none
olcAccess: {1}to * by self read by dn="cn=admin,dc=example,dc=org" write by *
 none
  • remove acl to * by self read by dn="cn=admin,dc=example,dc=org" write by * none
  • add acl to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none
[root@] ldapmodify -H ldapi:// -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by * none

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none



modifying entry "olcDatabase={1}mdb,cn=config"

All 10 comments

actually found what to fix (it's the listing for default ACLs)

[root@] ldapsearch -H ldapi:// -Y EXTERNAL -LLL -Q -b 'olcDatabase={1}mdb,cn=config'  -s base olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=a
 dmin,dc=example,dc=org" write by anonymous auth by * none
olcAccess: {1}to * by self read by dn="cn=admin,dc=example,dc=org" write by *
 none
  • remove acl to * by self read by dn="cn=admin,dc=example,dc=org" write by * none
  • add acl to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none
[root@] ldapmodify -H ldapi:// -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by * none

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none



modifying entry "olcDatabase={1}mdb,cn=config"

I've tried @phi1ipp solution but I still cannot search base DN (get a 32 error "No such object").
Anyone else has an idea on how to configure OpenLDAP for this use case ?

How do you run your search? And can you verify what your ACL does look like?

Damn... I should have checked my ACL first before adding the scripts.

The original ACL I had was a bit different than yours so the delete was not executed even though the add was.
My original ACL had self write:

olcAccess: to * by self write by dn="cn=admin,dc=ldap,dc=company,dc=com" write by * none

While the delete I executed based on your example had self read:

olcAccess: to * by self read by dn="cn=admin,dc=ldap,dc=company,dc=com" write by * none

After deleting the proper ACL, worked fine 馃憤

ldapsearch -x -H ldapi:// -b ou=People,dc=ldap,dc=company,dc=com -D "uid=demo,ou=People,dc=ldap,dc=company,dc=com" -w demopassword

# extended LDIF
#
# LDAPv3
...
# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

Yay, glad it worked for you :)

actually found what to fix (it's the listing for default ACLs)

[root@] ldapsearch -H ldapi:// -Y EXTERNAL -LLL -Q -b 'olcDatabase={1}mdb,cn=config'  -s base olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=a
 dmin,dc=example,dc=org" write by anonymous auth by * none
olcAccess: {1}to * by self read by dn="cn=admin,dc=example,dc=org" write by *
 none
  • remove acl to * by self read by dn="cn=admin,dc=example,dc=org" write by * none
  • add acl to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none
[root@] ldapmodify -H ldapi:// -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by * none

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none



modifying entry "olcDatabase={1}mdb,cn=config"

How does it work in docker. I don't understand the process.Is this all a command?

Yes, you need either to connect to the docker to run those commands manually, or to put them into a docker script.

From a command line you run

[root@] ldapmodify -H ldapi:// -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

and provide it with the input

dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by * none

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none


Yes, you need either to connect to the docker to run those commands manually, or to put them into a docker script.

From a command line you run

[root@] ldapmodify -H ldapi:// -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

and provide it with the input

dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by * none

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to * by self read by dn="cn=admin,dc=example,dc=org" write by users read by * none

I don't understand the argu -Y EXTERNAL. Does't it need a password?
If I use -D "cn=config" -w config,I got "ldap_bind: Invalid credentials (49)". I tried "cn=admin", "cn=admin,cn=config".It all failed.
It worked when I use -Y EXTERNAL,but I don't konw why.
Hope for a reply.

ldap:// -Y EXTERNAL uses your OS uid/gid. You can read more in openldap admin guide, section 15.2.4

docker exec -it containerNameReplaceMe ldapmodify -H ldapi:// -Y EXTERNAL

Was this page helpful?
0 / 5 - 0 ratings

Related issues

dalareo picture dalareo  路  5Comments

Shriyanshmit picture Shriyanshmit  路  5Comments

tlchan picture tlchan  路  3Comments

LeaklessGfy picture LeaklessGfy  路  4Comments

mgcrea picture mgcrea  路  3Comments