meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
ldap:openldap [2018/08/01 11:02] niziakldap:openldap [2018/08/01 12:05] (current) niziak
Line 24: Line 24:
     * access by "cn=admin,cn=config"     * access by "cn=admin,cn=config"
     * default password "config"     * default password "config"
 +    * **BaseDN: 'cn=config'** - use [[http://directory.apache.org/studio/|Apache Directory Studio]] to connect
  
-<code bash> +===== ACL =====
-$ ldapsearch -x -W -LLL -s base -D 'cn=admin,cn=config' -b 'cn=config' dn +
-Enter LDAP Password:  +
-dn: cn=config +
-</code>+
  
-<code bash> +[[https://www.openldap.org/doc/admin24/access-control.html]]
-$ ldapsearch -x -W -LLL -D 'cn=admin,cn=config' -b 'cn=config' dn +
-Enter LDAP Password +
-... +
-dn: olcDatabase={1}mdb,cn=config +
-... +
-</code>+
  
-<code bash> +Order matters in ACL rules. LDAP will stop looking on the first match. So new acl entries should be inserted before default ones.
-$ ldapsearch -x -W -LLL -D 'cn=admin,cn=config' -b 'cn=config' 'olcDatabase={1}mdb' +
-Enter LDAP Password: +
  
-dnolcDatabase={1}mdb,cn=config +Default entries
-objectClass: olcDatabaseConfig +<code>
-objectClass: olcMdbConfig +
-olcDatabase: {1}mdb +
-olcDbDirectory: /var/lib/ldap +
-olcSuffix: dc=example,dc=org+
 olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=example,dc=org" write by anonymous auth by * none olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=example,dc=org" write by anonymous auth by * none
-olcAccess: {1}to * by self read by dn="cn=admin,dc=example,dc=org" write  by * none +olcAccess: {1}to * by self read by dn="cn=admin,dc=example,dc=org" write by * none
-olcLastMod: TRUE +
-olcRootDN: cn=admin,dc=example,dc=org +
-olcRootPW: {SSHA}abcdef... +
-olcDbCheckpoint: 512 30 +
-olcDbIndex: uid eq +
-olcDbIndex: mail eq +
-olcDbIndex: memberOf eq +
-olcDbIndex: entryCSN eq +
-olcDbIndex: entryUUID eq +
-olcDbIndex: objectClass eq +
-olcDbMaxSize: 1073741824+
 </code> </code>
 +  * olcAccess: {0}to attrs=userPassword,shadowLastChange
 +    * by self write 
 +    * by dn="cn=admin,dc=example,dc=org" write 
 +    * by anonymous auth 
 +    * by * none
 +  * olcAccess: {1}to * 
 +    * by self read 
 +    * by dn="cn=admin,dc=example,dc=org" write 
 +    * by * none
 +
 +
 +
 +Giving user: **uid=nextcloudsystemuser,ou=it,dc=grinn-global,dc=com** rights:
 +  * Entry to edit: **olcDatabase={1}mdb,cn=config**
 +  * Attribute to add: **olcAccess**
 +  * to by dn.exact="uid=nextcloudsystemuser,ou=it,dc=grinn-global,dc=com" read
 +
 +
 +==== Examples ====
 +
 +
 +<code>olcAccess: {1}to dn.base="" by * read</code>
 +
 +  * Give user access to modify photo: <code>olcAccess: to attrs=jpegPhoto by self write by * read</codE>