Search code examples
openldapldif

How to correctly allow a given user access to update a record on openldap

I have been trying to apply this dlif to my openldap server:

$ cat acl.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.exact="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" attrs="ipServicePort,description" by dn="mail=itops@thedomain.com,ou=people,dc=thedomain,dc=com" write by * read

I believe this should allow user with DN: "mail=itops@thedomain.com,ou=people,dc=thedomain,dc=com" to update the attributes ipServicePort and description on "cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com"

This seems to apply fine:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"

When I search for it I can find my updated entry:

$ sudo ldapsearch -Y EXTERNAL -H ldapi:// -b cn=config 'olcDatabase={1}hdb'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase={1}hdb
# requesting: ALL
#
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=thedomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=domain,dc=ie,dc=aws,dc=thedomain,dc=net" write by * n
one
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=domain,dc=ie,dc=aws,dc=thedomain,dc=net" w
rite by * read
olcAccess: {3}to dn.exact="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,
dc=com" attrs="ipServicePort,description" by dn="mail=itops@thedomain.com,ou=p
eople,dc=thedomain,dc=com" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=thedomain,dc=com
olcRootPW: {SSHA}HASHEDPW
olcSyncrepl: {0}rid=003 provider=ldap://ldap.city.thedomain.com binddn="cn
=admin,dc=thedomain,dc=com" bindmethod=simple credentials=Cju8MJZhegnEgKp2nU s
earchbase="dc=thedomain,dc=com" type=refreshAndPersist interval=00:00:00:10 re
try="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=004 provider=ldap://ldap1.domain.ie.aws.thedomain.net binddn
="cn=admin,dc=thedomain,dc=com" bindmethod=simple credentials=Cju8MJZhegnEgKp2
nU searchbase="dc=thedomain,dc=com" type=refreshAndPersist interval=00:00:00:1
0 retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

However, when I try to make a change using these credentials, it still fails:

$ cat /tmp/modify.ldif
dn: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
changetype: modify
replace: ipServicePort
ipServicePort: 1485176342

dn: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
changetype: modify
replace: description
description: Updated by ldap.city.thedomain.com on Mon Jan 23 12:59:02 UTC 2017

Running:

$ ldapmodify -H ldap://localhost -w PASSWORD -D "mail=itops@thedomain.com,ou=people,dc=thedomain,dc=com" -f /tmp/modify.ldif        
modifying entry "cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com"
ldap_modify: Insufficient access (50)

I also tried making my ACL slightly less restrictive to try to understand what wasn't working, I have tried the following acl.ldif files:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" attrs="ipServicePort,description" by dn="mail=itops@thedomain.com,ou=people,dc=thedomain,dc=com" write by * read

Result was the same

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" by dn="mail=itops@thedomain.com,ou=people,dc=thedomain,dc=com" write by * read

Result was the same

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to * by dn="mail=itops@thedomain.com,ou=people,dc=thedomain,dc=com" write by * read

Result was the same

The only thing I didn't try yet, as I was hoping to avoid making the db this insecure, even during testing, was to allow * to write this record, or * to write to all records.

I've taken the dn of the record I want to allow editing on from Apache Directory Studio, which shows me:

DN: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com

And my users DN from the same:

DN: mail=itops@thedomain.com,ou=people,dc=thedomain,dc=com

I'm sure I'm doing something obviously idiotic, as my knowledge of ldap is poor and reading the documentation is painful for me. I'm hoping someone can spot my obvious error and suggest a correction as I can't see what I have done wrong after a large number of hours of tinkering.

Solution

  • Thank you to JoBbZ in #openldap IRC. This is a simple misunderstanding on my part. Order matters in ACL rules. LDAP will stop looking on the first match, so I need to save my olcAccess as 2 not 3