Home / server / Questions / 978774
Accepted
Hannes
Asked: 2019-08-12 04:56:27 +0800 CST

LDAP - Grant user write permission to group / organizationalUnit

  • 772

I tried to grant cn=admin,ou=Administrators,dc=example,dc=com full write access to ou=People,dc=example,dc=com so that this admin can create (and of course read) new entries under ou=People and also can modify them (e.g. changing passwords).

My ldif file looks like

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {4}to dn.subtree="ou=People,dc=example,dc=com" by dn.exact="cn=admin,ou=Administrators,dc=example,dc=com" write

After running it with ldapadd -Y EXTERNAL -H ldapi:/// -f permission.ldif, I just got

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Anyone can explain what is wrong here and how to do it correct? Tried quite a lot things which I found online.

ldap

1 Answers

  1. Best Answer

    After a few more trial and errors I found a working solution.

    Take a look at this ldif:

    dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to attrs=userPassword by self write by dn="cn=admin,ou=Administrators,dc=example,dc=com" write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.subtree="ou=People,dc=example,dc=com" by dn.exact="ccn=admin,ou=Administrators,dc=example,dc=com" write
olcAccess: {3}to * by * read

    /edit: Well, this lets you create new users under ou=People but you cannot change all attributes of them.

    • 1