Carlo Pradissitto
2010-03-19 11:54:05 UTC
Hi,
my DIT is some like this:
*dc=<base>*
*|__ dc=<domain_1>*
*| |__ o=<org_1>*
*| | |__cn=user_domain1_1*
*| | |__cn=user_domain1_2*
*| | |__cn=user_domain1_3*
*| |__ o=<org_2>*
*| |__cn=user_domain1_3*
*| |__cn=user_domain1_4*
*| |__cn=user_domain1_5*
*|__ dc=<domain_2>*
* |__ o=<org_3>*
* | |__cn=user_domain2_1*
* | |__cn=user_domain2_2*
* | |__cn=user_domain2_3*
* |__ o=<org_4>*
* |__cn=user_domain2_3*
* |__cn=user_domain2_4*
* |__cn=**user_domain2_5*
I would like to create one administrative account for each domain
(<domain_1> and <domain_2>)
Here is my way:
I create a new branch:
*dc=<base>*
*|__ o=Administrators*
* |__ou=<domain_1>_Administrators*
* |__ cn=Administrator1*
then I insert a new directive in slapd.conf
*access to dn.subtree="dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write*
Here the response when I try to connect with <domain_1>Administrators
credentials:
*Error opening connection:*
*[LDAP: error code 49 - Invalid Credentials]*
Here the OpenLDAP's output in debug mode
*daemon: activity on 1 descriptor*
*daemon: activity on: *
*slap_listener_activate(7): *
*daemon: epoll: listen=7 busy *
*>>> slap_listener(ldap://<my_host>:1389)*
*daemon: activity on 1 descriptor *
*daemon: activity on: *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*daemon: listen=7, new connection on 11 *
*daemon: added 11r (active) listener=(nil) *
*daemon: activity on 1 descriptor *
*daemon: activity on: *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*daemon: activity on 1 descriptor *
*daemon: activity on: 11r *
*daemon: read active on 11 *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_get(11): got connid=1000 *
*connection_read(11): checking for input on id=1000*
*ber_get_next *
*ber_get_next: tag 0x30 len 83 contents: *
*op tag 0x60, time 1268990296 *
*ber_get_next*
*daemon: activity on 1 descriptor*
*daemon: activity on:*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*conn=1000 op=0 do_bind*
*ber_scanf fmt ({imt) ber:*
*ber_scanf fmt (m}) ber:*
*>>> dnPrettyNormal:
<cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>>*
*<<< dnPrettyNormal:
<cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>>,
<cn=administrator1,ou=**<domain_1>dministrators,o=administrators,dc=<base>>*
*do_bind: version=3
dn="cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>"
method=128*
*bdb_dn2entry("cn=administrator1,ou=**
<domain_1>administrators,o=administrators,dc=<base>")*
*=> bdb_dn2id("dc=<base>")*
*<= bdb_dn2id: got id=0x1*
*=> bdb_dn2id("o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x12*
*=> bdb_dn2id("ou=**<domain_1>administrators,o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x13*
*=> bdb_dn2id("cn=administrator1,ou=**
<domain_1>administrators,o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x14*
*entry_decode: "cn=Administrator1,ou=**
<domain_1>Administrators,o=Administrators,dc=<base>"*
*<= entry_decode(cn=Administrator1,ou=**
<domain_1>Administrators,o=Administrators,dc=<base>)*
*send_ldap_result: conn=1000 op=0 p=3*
*send_ldap_response: msgid=1 tag=97 err=49*
*ber_flush2: 14 bytes to sd 11*
*daemon: activity on 1 descriptor*
*daemon: activity on: 11r*
*daemon: read active on 11*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_get(11): got connid=1000*
*connection_read(11): checking for input on id=1000*
*ber_get_next*
*ber_get_next on fd 11 failed errno=0 (Success)*
*connection_read(11): input error=-2 id=1000, closing.*
*connection_closing: readying conn=1000 sd=11 for close*
*daemon: activity on 1 descriptor*
*daemon: activity on:*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_close: conn=1000 sd=11*
*daemon: removing 11*
Same result with this policy:
*access to dn.subtree="dc=**<domain_1>,dc=<base>" by * write*
I can access only with this policy:
*access to * by * write*
I compiled opneldap 2.4.21 with default settings
Here my slapd.conf:
*include
/sw/test_domain_openldap-2.4.21/etc/openldap/schema/core.schema*
*include
/sw/test_domain_openldap-2.4.21/etc/openldap/schema/cosine.schema*
*
*
*pidfile /sw/test_domain_openldap-2.4.21/var/run/slapd.pid*
*argsfile /sw/test_domain_openldap-2.4.21/var/run/slapd.args*
*
*
*#######################################################################*
*# BDB database definitions*
*#######################################################################*
*
*
*database bdb*
*suffix "dc=<base>"*
*rootdn "cn=Manager,dc=<base>"*
*rootpw testdomain*
*directory /sw/test_domain_openldap-2.4.21/var/openldap-data*
*index objectClass eq*
*
*
*access to * by * write*
*#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write*
*#access to dn.subtree="**dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write*
thanks in advance!
Carlo
my DIT is some like this:
*dc=<base>*
*|__ dc=<domain_1>*
*| |__ o=<org_1>*
*| | |__cn=user_domain1_1*
*| | |__cn=user_domain1_2*
*| | |__cn=user_domain1_3*
*| |__ o=<org_2>*
*| |__cn=user_domain1_3*
*| |__cn=user_domain1_4*
*| |__cn=user_domain1_5*
*|__ dc=<domain_2>*
* |__ o=<org_3>*
* | |__cn=user_domain2_1*
* | |__cn=user_domain2_2*
* | |__cn=user_domain2_3*
* |__ o=<org_4>*
* |__cn=user_domain2_3*
* |__cn=user_domain2_4*
* |__cn=**user_domain2_5*
I would like to create one administrative account for each domain
(<domain_1> and <domain_2>)
Here is my way:
I create a new branch:
*dc=<base>*
*|__ o=Administrators*
* |__ou=<domain_1>_Administrators*
* |__ cn=Administrator1*
then I insert a new directive in slapd.conf
*access to dn.subtree="dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write*
Here the response when I try to connect with <domain_1>Administrators
credentials:
*Error opening connection:*
*[LDAP: error code 49 - Invalid Credentials]*
Here the OpenLDAP's output in debug mode
*daemon: activity on 1 descriptor*
*daemon: activity on: *
*slap_listener_activate(7): *
*daemon: epoll: listen=7 busy *
*>>> slap_listener(ldap://<my_host>:1389)*
*daemon: activity on 1 descriptor *
*daemon: activity on: *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*daemon: listen=7, new connection on 11 *
*daemon: added 11r (active) listener=(nil) *
*daemon: activity on 1 descriptor *
*daemon: activity on: *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*daemon: activity on 1 descriptor *
*daemon: activity on: 11r *
*daemon: read active on 11 *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_get(11): got connid=1000 *
*connection_read(11): checking for input on id=1000*
*ber_get_next *
*ber_get_next: tag 0x30 len 83 contents: *
*op tag 0x60, time 1268990296 *
*ber_get_next*
*daemon: activity on 1 descriptor*
*daemon: activity on:*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*conn=1000 op=0 do_bind*
*ber_scanf fmt ({imt) ber:*
*ber_scanf fmt (m}) ber:*
*>>> dnPrettyNormal:
<cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>>*
*<<< dnPrettyNormal:
<cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>>,
<cn=administrator1,ou=**<domain_1>dministrators,o=administrators,dc=<base>>*
*do_bind: version=3
dn="cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>"
method=128*
*bdb_dn2entry("cn=administrator1,ou=**
<domain_1>administrators,o=administrators,dc=<base>")*
*=> bdb_dn2id("dc=<base>")*
*<= bdb_dn2id: got id=0x1*
*=> bdb_dn2id("o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x12*
*=> bdb_dn2id("ou=**<domain_1>administrators,o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x13*
*=> bdb_dn2id("cn=administrator1,ou=**
<domain_1>administrators,o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x14*
*entry_decode: "cn=Administrator1,ou=**
<domain_1>Administrators,o=Administrators,dc=<base>"*
*<= entry_decode(cn=Administrator1,ou=**
<domain_1>Administrators,o=Administrators,dc=<base>)*
*send_ldap_result: conn=1000 op=0 p=3*
*send_ldap_response: msgid=1 tag=97 err=49*
*ber_flush2: 14 bytes to sd 11*
*daemon: activity on 1 descriptor*
*daemon: activity on: 11r*
*daemon: read active on 11*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_get(11): got connid=1000*
*connection_read(11): checking for input on id=1000*
*ber_get_next*
*ber_get_next on fd 11 failed errno=0 (Success)*
*connection_read(11): input error=-2 id=1000, closing.*
*connection_closing: readying conn=1000 sd=11 for close*
*daemon: activity on 1 descriptor*
*daemon: activity on:*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_close: conn=1000 sd=11*
*daemon: removing 11*
Same result with this policy:
*access to dn.subtree="dc=**<domain_1>,dc=<base>" by * write*
I can access only with this policy:
*access to * by * write*
I compiled opneldap 2.4.21 with default settings
Here my slapd.conf:
*include
/sw/test_domain_openldap-2.4.21/etc/openldap/schema/core.schema*
*include
/sw/test_domain_openldap-2.4.21/etc/openldap/schema/cosine.schema*
*
*
*pidfile /sw/test_domain_openldap-2.4.21/var/run/slapd.pid*
*argsfile /sw/test_domain_openldap-2.4.21/var/run/slapd.args*
*
*
*#######################################################################*
*# BDB database definitions*
*#######################################################################*
*
*
*database bdb*
*suffix "dc=<base>"*
*rootdn "cn=Manager,dc=<base>"*
*rootpw testdomain*
*directory /sw/test_domain_openldap-2.4.21/var/openldap-data*
*index objectClass eq*
*
*
*access to * by * write*
*#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write*
*#access to dn.subtree="**dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write*
thanks in advance!
Carlo