delegate access control in Openldap

Leave a comment

I have an OU (organizational unit) named “vendor”. How to delegate access control management to one user for this OU alone? Is it possible like windows AD?

Yes, using Openldap access control rules you can create fine grained access control policies. Have tested personally and discussed here. In two places you must need this.

  1. It will be useful in organizations where multiple parties involved but using common authentication system. Because other third parties no need to depend on LDAP admin for password reset stuff.
  2. Another massive usage is for organizations with large or medium number of users. For delegating password reset task to service desk team.

Catoon: Delegate access control - Openldap
Delegate access control – Openldap

Assume

base suffix = dc=sunt,dc=com

ou=vendor

ou=people

User= “uid=emp1,ou=people,dc=sunt,dc=com”

The ou named vendor has to be managed by non-rootdn user “emp1”. The user should be able to do

  1. Password reset of users exist in ou=vendor
  2. Add/remove users from ou=vendor
  3. Strictly user emp1 should not allowed to modify anything outside ou=vendor.

Openldap access control rules

The below rules has to be inserted on top of the existing rules. Do not forgot to replace ou and dc values with your respective values wherever applicable.

access to dn.subtree=ou=vend,dc=sunt,dc=com attrs=userpassword,shadowlastchange
       by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write
       by self write
       by anonymous auth
       by * read
access to dn.subtree=ou=vend,dc=sunt,dc=com
       by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write
       by * read

These rules can be added dynamically using LDIF file. Create a file with content as shown here.

#cat db.ldif
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcaccess
olcaccess: {0}to dn.subtree=ou=vend,dc=sunt,dc=com attrs=userpassword,shadowlastchange by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write by self write by anonymous auth by * read
olcaccess: {1}to dn.subtree=ou=vend,dc=sunt,dc=com by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write by * read

Add this access control rule to Openldap.

#ldapmodify  -axw $PASS –D cn=config –f db.ldif

Note: You must provide rootdn of “config” database. Do not have it? No worries, follow this discussion and get it done.

At last my backend database (bdb) access control rules looks like below.

#ldapsearch -xw $PASS -D cn=config -b olcdatabase={2}bdb,cn=config -LLL olcaccess
dn: olcDatabase={2}bdb,cn=config
olcAccess: {0}to dn.subtree=ou=vend,dc=sunt,dc=com attrs=userpassword,shadowlastchange by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write by self write by anonymous auth by * read
olcAccess: {1}to dn.subtree=ou=vend,dc=sunt,dc=com by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write by * read
olcAccess: {2}to attrs=userpassword,shadowlastchange by self write by anonymous auth by * read
olcAccess: {3}to * by * read

Tip

Add these rules to slapd.conf under database section. As described earlier it should be placed on top of existing rules. Rules from slapd.conf will not be used by slapd service. But this will be make your life easier during recovery.

Validation

Post applying above rules Openldap system doable of

  1. All users able to login and do self-password reset
  2. User emp1 able to reset password for other users exist in ou=vendor
  3. User emp1 able to add and remove users from ou=vendor
  4. User emp1 restricted to create/delete/password-reset users in any other ou.

Yahoooo.. Things are awesome !! Did this article helped you? Share your comments here.

For your reference shared the screen output of various scenarios. Extensive testing required post applying access control rules.

Have logged in as emp1. Able to create new user in ou=vendor.

login as: emp1
emp1@10.20.31.137's password:
Last login: Sat Aug 27 00:35:13 2016 from 10.20.31.1
[emp1@rhel4 ~]$ passwd
Changing password for user emp1.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information changed for emp1
passwd: all authentication tokens updated successfully.
[emp1@rhel4 ~]$ cat user.ldif
dn: uid=vemp4,ou=vend,dc=sunt,dc=com
objectClass: top
objectClass: posixAccount
objectClass: account
objectClass: shadowAccount
cn: vemp4
uid: vemp4
uidNumber: 20006
gidNumber: 100
homeDirectory: /home/vemp4
loginShell: /bin/bash
gecos: LDAP user vendor
[emp1@rhel4 ~]$ ldapadd -xW -D uid=emp1,ou=people,dc=sunt,dc=com -f user.ldif
Enter LDAP Password:
adding new entry "uid=vemp4,ou=vend,dc=sunt,dc=com"

[emp1@rhel4 ~]$ ldappasswd -xW -D uid=emp1,ou=people,dc=sunt,dc=com -S uid=vemp4,ou=vend,dc=sunt,dc=com
New password:
Re-enter new password:
Enter LDAP Password:
[emp1@rhel4 ~]$ ldappasswd -xW -D uid=emp1,ou=people,dc=sunt,dc=com -S uid=emp3,ou=people,dc=sunt,dc=com
New password:
Re-enter new password:
Enter LDAP Password:
Result: Insufficient access (50)

Logged in as new user vemp4 and did password reset.

login as: vemp4
vemp4@10.20.31.137's password:
Creating home directory for vemp4.
[vemp4@rhel4 ~]$ passwd
Changing password for user vemp4.
Enter login(LDAP) password:
New password:
BAD PASSWORD: is too similar to the old one
New password:
Retype new password:
LDAP password information changed for vemp4
passwd: all authentication tokens updated successfully.
[vemp4@rhel4 ~]$

 

Leave a Reply

Your email address will not be published. Required fields are marked *