PDA

View Full Version : Configure "Access Control Configuration" in YAST



sergiohnj
27-May-2015, 16:27
Hello,
Iím working with SLES 11.1 and OpenLDAP 2.4.20.

In Yast Iím trying configure "Access Control Configuration" but it doesnít work. I have to deploy 2 conditions: cn=userproxy,dc=users,dc=tree access read only over subtree dc=container,dc=tree and cn=admin,dc=users,dc=tree all access on all entries.

Over the rule "special access rules first, generic access rules last" i was set:

On "All entries", The user with the DN cn=admin,dc=users,dc=tree Manage (full), and "Stop Access Control evaluation here"
On "All Entries in the subtree" dc=container,dc=tree , The user with the DN cn=userproxy,dc=users,dc=tree read , and "Stop Access Control evaluation here"
All entries everybody read all attributes, "Stop Access Control evaluation here".

I could not find documentation on Access Control Configuration through YAST. Do you know where to get some information?

Regards.

jmozdzen
28-May-2015, 11:15
Hi sergiohnj,

Hello,
Iím working with SLES 11.1 and OpenLDAP 2.4.20.

In Yast Iím trying configure "Access Control Configuration" but it doesnít work. I have to deploy 2 conditions: cn=userproxy,dc=users,dc=tree access read only over subtree dc=container,dc=tree and cn=admin,dc=users,dc=tree all access on all entries.

Over the rule "special access rules first, generic access rules last" i was set:

On "All entries", The user with the DN cn=admin,dc=users,dc=tree Manage (full), and "Stop Access Control evaluation here"
On "All Entries in the subtree" dc=container,dc=tree , The user with the DN cn=userproxy,dc=users,dc=tree read , and "Stop Access Control evaluation here"
All entries everybody read all attributes, "Stop Access Control evaluation here".

I could not find documentation on Access Control Configuration through YAST. Do you know where to get some information?

Regards.

one way to check would be to look at what YaST put into /etc/openldap/slapd.conf and compare that to the OpenLDAP documentation.

Since SLES11SP1 is out of support (unless you have some special support contract), you might consider upgrading to a newer level (i.e. SP3). Depending on your use, I recall that the shipped OpenLDAP version had serious issues, especially in the area of replication.

Regards,
Jens

sergiohnj
28-May-2015, 16:23
thanks jmozdzen,


Hi sergiohnj,


one way to check would be to look at what YaST put into /etc/openldap/slapd.conf and compare that to the OpenLDAP documentation.


From /etc/openldap/slapd.conf :
"# Note: The OpenLDAP configuration has been created by YaST. YaST does not
# use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore.
# YaST uses OpenLDAP's dynamic configuration database (back-config) to
# store the LDAP server's configuration."



Since SLES11SP1 is out of support (unless you have some special support contract), you might consider upgrading to a newer level (i.e. SP3). Depending on your use, I recall that the shipped OpenLDAP version had serious issues, especially in the area of replication.

Regards,
Jens

Thanks!

jmozdzen
29-May-2015, 15:20
Hi sergiohnj,


From /etc/openldap/slapd.conf :
"# Note: The OpenLDAP configuration has been created by YaST. YaST does not
# use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore.
# YaST uses OpenLDAP's dynamic configuration database (back-config) to
# store the LDAP server's configuration."

So then... take a look at what's in the according LDIF file :D ("/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{-1\}frontend.ldif" ?)

Is that really SLES11SP1? I thought that they started LDIF-based configuration in SP3, but maybe I was just to old-school to take notice before then.

Regards,
Jens