Configure "Access Control Configuration" in YAST

Hello,
I’m working with SLES 11.1 and OpenLDAP 2.4.20.

In Yast I’m trying configure “Access Control Configuration” but it doesn’t work. I have to deploy 2 conditions: cn=userproxy,dc=users,dc=tree access read only over subtree dc=container,dc=tree and cn=admin,dc=users,dc=tree all access on all entries.

Over the rule “special access rules first, generic access rules last” i was set:

On “All entries”, The user with the DN cn=admin,dc=users,dc=tree Manage (full), and “Stop Access Control evaluation here”
On “All Entries in the subtree” dc=container,dc=tree , The user with the DN cn=userproxy,dc=users,dc=tree read , and “Stop Access Control evaluation here”
All entries everybody read all attributes, “Stop Access Control evaluation here”.

I could not find documentation on Access Control Configuration through YAST. Do you know where to get some information?

Regards.

Hi sergiohnj,

[QUOTE=sergiohnj;28063]Hello,
I’m working with SLES 11.1 and OpenLDAP 2.4.20.

In Yast I’m trying configure “Access Control Configuration” but it doesn’t work. I have to deploy 2 conditions: cn=userproxy,dc=users,dc=tree access read only over subtree dc=container,dc=tree and cn=admin,dc=users,dc=tree all access on all entries.

Over the rule “special access rules first, generic access rules last” i was set:

On “All entries”, The user with the DN cn=admin,dc=users,dc=tree Manage (full), and “Stop Access Control evaluation here”
On “All Entries in the subtree” dc=container,dc=tree , The user with the DN cn=userproxy,dc=users,dc=tree read , and “Stop Access Control evaluation here”
All entries everybody read all attributes, “Stop Access Control evaluation here”.

I could not find documentation on Access Control Configuration through YAST. Do you know where to get some information?

Regards.[/QUOTE]

one way to check would be to look at what YaST put into /etc/openldap/slapd.conf and compare that to the OpenLDAP documentation.

Since SLES11SP1 is out of support (unless you have some special support contract), you might consider upgrading to a newer level (i.e. SP3). Depending on your use, I recall that the shipped OpenLDAP version had serious issues, especially in the area of replication.

Regards,
Jens

thanks jmozdzen,

[QUOTE=jmozdzen;28071]Hi sergiohnj,

one way to check would be to look at what YaST put into /etc/openldap/slapd.conf and compare that to the OpenLDAP documentation.
[/QUOTE]

From /etc/openldap/slapd.conf :
"# Note: The OpenLDAP configuration has been created by YaST. YaST does not

use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore.

YaST uses OpenLDAP’s dynamic configuration database (back-config) to

store the LDAP server’s configuration."

[QUOTE=jmozdzen]
Since SLES11SP1 is out of support (unless you have some special support contract), you might consider upgrading to a newer level (i.e. SP3). Depending on your use, I recall that the shipped OpenLDAP version had serious issues, especially in the area of replication.

Regards,
Jens[/QUOTE]

Thanks!

Hi sergiohnj,

[QUOTE=sergiohnj;28076]
From /etc/openldap/slapd.conf :
"# Note: The OpenLDAP configuration has been created by YaST. YaST does not

use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore.

YaST uses OpenLDAP’s dynamic configuration database (back-config) to

store the LDAP server’s configuration."[/QUOTE]

So then… take a look at what’s in the according LDIF file :smiley: ("/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{-1\}frontend.ldif" ?)

Is that really SLES11SP1? I thought that they started LDIF-based configuration in SP3, but maybe I was just to old-school to take notice before then.

Regards,
Jens