Hello,
IÂm working with SLES 11.1 and OpenLDAP 2.4.20.
In Yast IÂm trying configure “Access Control Configuration” but it doesnÂt work. I have to deploy 2 conditions: cn=userproxy,dc=users,dc=tree access read only over subtree dc=container,dc=tree and cn=admin,dc=users,dc=tree all access on all entries.
Over the rule “special access rules first, generic access rules last” i was set:
On “All entries”, The user with the DN cn=admin,dc=users,dc=tree Manage (full), and “Stop Access Control evaluation here”
On “All Entries in the subtree” dc=container,dc=tree , The user with the DN cn=userproxy,dc=users,dc=tree read , and “Stop Access Control evaluation here”
All entries everybody read all attributes, “Stop Access Control evaluation here”.
I could not find documentation on Access Control Configuration through YAST. Do you know where to get some information?
Regards.
Hi sergiohnj,
[QUOTE=sergiohnj;28063]Hello,
IÂm working with SLES 11.1 and OpenLDAP 2.4.20.
In Yast IÂm trying configure “Access Control Configuration” but it doesnÂt work. I have to deploy 2 conditions: cn=userproxy,dc=users,dc=tree access read only over subtree dc=container,dc=tree and cn=admin,dc=users,dc=tree all access on all entries.
Over the rule “special access rules first, generic access rules last” i was set:
On “All entries”, The user with the DN cn=admin,dc=users,dc=tree Manage (full), and “Stop Access Control evaluation here”
On “All Entries in the subtree” dc=container,dc=tree , The user with the DN cn=userproxy,dc=users,dc=tree read , and “Stop Access Control evaluation here”
All entries everybody read all attributes, “Stop Access Control evaluation here”.
I could not find documentation on Access Control Configuration through YAST. Do you know where to get some information?
Regards.[/QUOTE]
one way to check would be to look at what YaST put into /etc/openldap/slapd.conf and compare that to the OpenLDAP documentation.
Since SLES11SP1 is out of support (unless you have some special support contract), you might consider upgrading to a newer level (i.e. SP3). Depending on your use, I recall that the shipped OpenLDAP version had serious issues, especially in the area of replication.
Regards,
Jens
thanks jmozdzen,
[QUOTE=jmozdzen;28071]Hi sergiohnj,
one way to check would be to look at what YaST put into /etc/openldap/slapd.conf and compare that to the OpenLDAP documentation.
[/QUOTE]
From /etc/openldap/slapd.conf :
"# Note: The OpenLDAP configuration has been created by YaST. YaST does not
use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore.
YaST uses OpenLDAP’s dynamic configuration database (back-config) to
store the LDAP server’s configuration."
[QUOTE=jmozdzen]
Since SLES11SP1 is out of support (unless you have some special support contract), you might consider upgrading to a newer level (i.e. SP3). Depending on your use, I recall that the shipped OpenLDAP version had serious issues, especially in the area of replication.
Regards,
Jens[/QUOTE]
Thanks!
Hi sergiohnj,
[QUOTE=sergiohnj;28076]
From /etc/openldap/slapd.conf :
"# Note: The OpenLDAP configuration has been created by YaST. YaST does not
use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore.
YaST uses OpenLDAP’s dynamic configuration database (back-config) to
store the LDAP server’s configuration."[/QUOTE]
So then… take a look at what’s in the according LDIF file ("/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{-1\}frontend.ldif" ?)
Is that really SLES11SP1? I thought that they started LDIF-based configuration in SP3, but maybe I was just to old-school to take notice before then.
Regards,
Jens