Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   access control (http://www.linux-archive.org/fedora-directory/443570-access-control.html)

Mike Li 10-24-2010 01:38 AM

access control
 
I am using the latest 389 DS (1.1), on Linux. Searching the entries works but cannot do add/modify, ldap_add_s() and ldap_modify_s() APIs return: Insufficient access.

How do I give the write access to a login (identified by a login DN and passwd) ? Searched everywhere but cannot find any help at all.


Thanks.


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

"Morris, Patrick" 10-25-2010 08:14 AM

access control
 
http://directory.fedoraproject.org/wiki/Howto:AccessControl

On 10/23/2010 6:38 PM, Mike Li wrote:
> I am using the latest 389 DS (1.1), on Linux. Searching the entries
> works but cannot do add/modify, ldap_add_s() and ldap_modify_s() APIs
> return: Insufficient access.
>
> How do I give the write access to a login (identified by a login DN
> and passwd) ? Searched everywhere but cannot find any help at all.
>
> Thanks.
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Anthony Messina 10-25-2010 10:37 PM

access control
 
On Monday, October 25, 2010 03:14:59 am Morris, Patrick wrote:
> http://directory.fedoraproject.org/wiki/Howto:AccessControl
>
> On 10/23/2010 6:38 PM, Mike Li wrote:
> > I am using the latest 389 DS (1.1), on Linux. Searching the entries
> > works but cannot do add/modify, ldap_add_s() and ldap_modify_s() APIs
> > return: Insufficient access.
> >
> > How do I give the write access to a login (identified by a login DN
> > and passwd) ? Searched everywhere but cannot find any help at all.
> >
> > Thanks.

Anyone know how to set ACIs for connections using the socket interface?

I see we can restrict to IP address or hostname/domain, but I don't see
anything for SLAPI. Thanks in advance. -A
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 10-25-2010 10:42 PM

access control
 
Anthony Messina wrote:
> On Monday, October 25, 2010 03:14:59 am Morris, Patrick wrote:
>
>> http://directory.fedoraproject.org/wiki/Howto:AccessControl
>>
>> On 10/23/2010 6:38 PM, Mike Li wrote:
>>
>>> I am using the latest 389 DS (1.1), on Linux. Searching the entries
>>> works but cannot do add/modify, ldap_add_s() and ldap_modify_s() APIs
>>> return: Insufficient access.
>>>
>>> How do I give the write access to a login (identified by a login DN
>>> and passwd) ? Searched everywhere but cannot find any help at all.
>>>
>>> Thanks.
>>>
>
> Anyone know how to set ACIs for connections using the socket interface?
>
> I see we can restrict to IP address or hostname/domain, but I don't see
> anything for SLAPI. Thanks in advance. -A
>
I think you mean LDAPI. There is nothing explicit - however, you can
set access based on hostname or IP address. I suppose, since an LDAPI
connection has no hostname or IP address, you might be able to use that
somehow.
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Anthony Messina 10-25-2010 11:33 PM

access control
 
On Monday, October 25, 2010 05:42:59 pm Rich Megginson wrote:
> > Anyone know how to set ACIs for connections using the socket interface?
> >
> > I see we can restrict to IP address or hostname/domain, but I don't see
> > anything for SLAPI. Thanks in advance. -A
> >
> >
>
> I think you mean LDAPI. There is nothing explicit - however, you can
> set access based on hostname or IP address. I suppose, since an LDAPI
> connection has no hostname or IP address, you might be able to use that
> somehow.

Yes, Rich, you're right it's "ldapi". Sorry about that. I must be slapi-
happi ;)

However, in the access logs, it appears to use the name "local".

~#] ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-elburn.socket
<snip>
[25/Oct/2010:17:53:01 -0500] conn=1182 fd=69 slot=69 connection from local to
/var/run/slapd-elburn.socket
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 BIND dn="" method=128 version=3
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 SRCH base="dc=messinet,dc=com"
scope=2 filter="(objectClass=*)" attrs=ALL
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 UNBIND
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 fd=69 closed - U1
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 RESULT err=0 tag=101 nentries=0
etime=0 notes=U

And using "local" with either "ip=" or "dns=" doesn't change the behavior.

Usage example: I'd like to let PHP/Apache connect to ldapi with specific
accounts for different applications. Right now, it seems like ldapi access is
either all or nothing.

I could use autobind, but that wouldn't allow different PHP
processes/applications to have separate access to different parts of the DIT
as they would all connect via the "apache" user.

I used to use this capability when I used OpenLDAP via the

"by peername.path=/var/run/ldapi read" directive

Thanks again. -A

--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Anthony Messina 10-26-2010 01:02 AM

access control
 
On Monday, October 25, 2010 05:42:59 pm Rich Megginson wrote:
> I think you mean LDAPI. There is nothing explicit - however, you can
> set access based on hostname or IP address. I suppose, since an LDAPI
> connection has no hostname or IP address, you might be able to use that
> somehow.

Suggested in a thread from July, file a bug report for this feature:
https://bugzilla.redhat.com/show_bug.cgi?id=646707

--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 07:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.