I have an OU (organizational unit) named “vendor”. How to delegate access control management to one user for this OU alone? Is it possible like windows AD?
Yes, using Openldap access control rules you can create fine grained access control policies. Have tested personally and discussed here. In two places you must need this.
- It will be useful in organizations where multiple parties involved but using common authentication system. Because other third parties no need to depend on LDAP admin for password reset stuff.
- Another massive usage is for organizations with large or medium number of users. For delegating password reset task to service desk team.
Assume
base suffix = dc=sunt,dc=com
ou=vendor
ou=people
User= “uid=emp1,ou=people,dc=sunt,dc=com”
The ou named vendor has to be managed by non-rootdn user “emp1”. The user should be able to do
- Password reset of users exist in ou=vendor
- Add/remove users from ou=vendor
- Strictly user emp1 should not allowed to modify anything outside ou=vendor.
Openldap access control rules
The below rules has to be inserted on top of the existing rules. Do not forgot to replace ou and dc values with your respective values wherever applicable.
access to dn.subtree=ou=vend,dc=sunt,dc=com attrs=userpassword,shadowlastchange
by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write
by self write
by anonymous auth
by * read
access to dn.subtree=ou=vend,dc=sunt,dc=com
by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write
by * read
These rules can be added dynamically using LDIF file. Create a file with content as shown here.
#cat db.ldif
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcaccess
olcaccess: {0}to dn.subtree=ou=vend,dc=sunt,dc=com attrs=userpassword,shadowlastchange by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write by self write by anonymous auth by * read
olcaccess: {1}to dn.subtree=ou=vend,dc=sunt,dc=com by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write by * read
Add this access control rule to Openldap.
#ldapmodify -axw $PASS –D cn=config –f db.ldif
Note: You must provide rootdn of “config” database. Do not have it? No worries, follow this discussion and get it done.
At last my backend database (bdb) access control rules looks like below.
#ldapsearch -xw $PASS -D cn=config -b olcdatabase={2}bdb,cn=config -LLL olcaccess
dn: olcDatabase={2}bdb,cn=config
olcAccess: {0}to dn.subtree=ou=vend,dc=sunt,dc=com attrs=userpassword,shadowlastchange by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write by self write by anonymous auth by * read
olcAccess: {1}to dn.subtree=ou=vend,dc=sunt,dc=com by dn.exact=uid=emp1,ou=people,dc=sunt,dc=com write by * read
olcAccess: {2}to attrs=userpassword,shadowlastchange by self write by anonymous auth by * read
olcAccess: {3}to * by * read
Tip
Add these rules to slapd.conf under database section. As described earlier it should be placed on top of existing rules. Rules from slapd.conf will not be used by slapd service. But this will be make your life easier during recovery.
Validation
Post applying above rules Openldap system doable of
- All users able to login and do self-password reset
- User emp1 able to reset password for other users exist in ou=vendor
- User emp1 able to add and remove users from ou=vendor
- User emp1 restricted to create/delete/password-reset users in any other ou.
Yahoooo.. Things are awesome !! Did this article helped you? Share your comments here.
For your reference shared the screen output of various scenarios. Extensive testing required post applying access control rules.
Have logged in as emp1. Able to create new user in ou=vendor.
login as: emp1 emp1@10.20.31.137's password: Last login: Sat Aug 27 00:35:13 2016 from 10.20.31.1 [emp1@rhel4 ~]$ passwd Changing password for user emp1. Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for emp1 passwd: all authentication tokens updated successfully. [emp1@rhel4 ~]$ cat user.ldif dn: uid=vemp4,ou=vend,dc=sunt,dc=com objectClass: top objectClass: posixAccount objectClass: account objectClass: shadowAccount cn: vemp4 uid: vemp4 uidNumber: 20006 gidNumber: 100 homeDirectory: /home/vemp4 loginShell: /bin/bash gecos: LDAP user vendor [emp1@rhel4 ~]$ ldapadd -xW -D uid=emp1,ou=people,dc=sunt,dc=com -f user.ldif Enter LDAP Password: adding new entry "uid=vemp4,ou=vend,dc=sunt,dc=com" [emp1@rhel4 ~]$ ldappasswd -xW -D uid=emp1,ou=people,dc=sunt,dc=com -S uid=vemp4,ou=vend,dc=sunt,dc=com New password: Re-enter new password: Enter LDAP Password: [emp1@rhel4 ~]$ ldappasswd -xW -D uid=emp1,ou=people,dc=sunt,dc=com -S uid=emp3,ou=people,dc=sunt,dc=com New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50)
Logged in as new user vemp4 and did password reset.
login as: vemp4 vemp4@10.20.31.137's password: Creating home directory for vemp4. [vemp4@rhel4 ~]$ passwd Changing password for user vemp4. Enter login(LDAP) password: New password: BAD PASSWORD: is too similar to the old one New password: Retype new password: LDAP password information changed for vemp4 passwd: all authentication tokens updated successfully. [vemp4@rhel4 ~]$
Thanks for the excellent manual