LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 12-08-2010, 03:40 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 623

Rep: Reputation: 33
OpenLdap: confusing users


Hello,

I'm confused about the different types of "users".

What I want :

1 DIT with different OU's.

In each OU there are InetorgPersons with attribute name and telephone number.

There are about 50 entries in each OU.

Now I have 3 to 5 employees per OU. What accounts do these employees need to be able to read the phone number of a certain InetorgPerson when they know the name of this Person ??


Do these 5 employees need a "Person"-objectclass, or an "OrganizationalRole"-objectclass, or something else ?

These employees do not need to change the information of the OU and its objects inside it.
Also an employee may only see the Persons in its own OU (ex Sales)

This Ldap-server is only for looking up telephone numbers, not for authentication of employees.

Last edited by jonaskellens; 12-08-2010 at 03:42 AM.
 
Old 12-08-2010, 02:01 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
As I mentioned on your other thread, it's not the account that has the right to do anything in itself, it's down to the acl's, which can simply be defined in your slapd.conf
 
Old 12-09-2010, 06:33 AM   #3
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
I need to understand some things before I can help.

Have you installed OpenLDAP?

Have you set the name and password of the rootdn in the slapd.conf?

Have you set the root suffix in the slapd.conf?

Have you configured the base and uri in the ldap.conf?

What happens when you run ldapsearch -x?
 
Old 12-09-2010, 06:48 AM   #4
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 623

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by jamrock View Post
Have you installed OpenLDAP?

Have you set the name and password of the rootdn in the slapd.conf?

Have you set the root suffix in the slapd.conf?

Have you configured the base and uri in the ldap.conf?
My ldap.conf :
Code:
database        bdb
suffix          "dc=mydomain,dc=local"
rootdn          "cn=Manager,dc=mydomain,dc=local"
rootpw          GuessThis
directory       /var/lib/ldap

Quote:
What happens when you run ldapsearch -x?
Code:
[root@asterisk16 ~]# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
 
Old 12-09-2010, 09:00 AM   #5
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
Quote:
database bdb
suffix "dc=mydomain,dc=local"
rootdn "cn=Manager,dc=mydomain,dc=local"
rootpw GuessThis
directory /var/lib/ldap
OpenLDAP has 2 main components. One is the client and one is the server.

The configuration file for the server is slapd.conf. The information you have listed above should be in the slapd.conf.

The configuration file for the client is the ldap.conf. It should include information similar to

# Section of ldap database from which to start searching
BASE dc=mydomain,dc=local

# Location of LDAP server.
URI ldap://server1.mydomain.local

Basically, you are letting the ldap client know where to find the ldap server information.

The next step will be to import your initial settings. Take a look at this documentat.

http://www.openldap.org/doc/admin24/quickstart.html

Here is a sample ldif file.

# Top of the directory structure
dn: dc=mydomain,dc=local
objectClass: dcObject
objectClass: organization
dc: mydomain
o: My Domain Limited
description: My Domain Limited

# Organizational Role for Directory Manager
dn: cn=Manager,dc=mydomain,dc=local
objectClass: organizationalRole
cn: Manager
description: Directory Manager

# Organization Unit to hold contact information
dn: ou=contacts,dc=mydomain,dc=local
objectClass: organizationalUnit
ou: contacts
description: Company Address Book

# Organization Unit to hold user mail information
dn: ou=mail,dc=mydomain,dc=local
objectClass: organizationalUnit
ou: mail
description: User Mail Information

Quote:
1 DIT with different OU's.
You can use the ou format above to create the organizational units.

Quote:
Now I have 3 to 5 employees per OU. What accounts do these employees need to be able to read the phone number of a certain InetorgPerson when they know the name of this Person ??
It sounds as if you want to restrict each user to have read access on a specific ou in the directory. Is this correct?

What application will people be using to read the directory information?

Last edited by jamrock; 12-09-2010 at 09:01 AM.
 
Old 12-09-2010, 10:23 AM   #6
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 623

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by jamrock View Post
It sounds as if you want to restrict each user to have read access on a specific ou in the directory. Is this correct?
What application will people be using to read the directory information?
I want to restrict each inetOrgPerson to its own OU with read-rights to the telephoneNumber-attribute of the objects inside that OU.

So I have objects like :
(inetOrgPerson) dn: cn=Company AA,ou=101001,dc=mydomain,dc=local
with attribute sn and telephoneNumber
and also :
(inetOrgPerson) dn: cn=U101001,ou=101001,dc=mydomain,dc=local
with attribute sn and userPassword

These reside in the OU "101001".

What I want is that a user like U101001 is able to read the telephoneNumber of Company AA.


The ldap clients are Snom IP-phones. I use my ldap-server as phone book.
 
Old 12-09-2010, 11:23 AM   #7
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
Quote:
Originally Posted by jonaskellens View Post
I want to restrict each inetOrgPerson to its own OU with read-rights to the telephoneNumber-attribute of the objects inside that OU.
You need to make a distinction between the record or object in the ldap directory and the users who will read the information.

For example. My directory can store mail information re: the users on my network. I must then set my security to restrict the access of users to the data in the directory.

Quote:
Originally Posted by jonaskellens View Post
So I have objects like :
(inetOrgPerson) dn: cn=Company AA,ou=101001,dc=mydomain,dc=local
with attribute sn and telephoneNumber
and also :
(inetOrgPerson) dn: cn=U101001,ou=101001,dc=mydomain,dc=local
with attribute sn and userPassword

These reside in the OU "101001".

What I want is that a user like U101001 is able to read the telephoneNumber of Company AA.


The ldap clients are Snom IP-phones. I use my ldap-server as phone book.
Would the following approach work?

Create 2 separate branches. One for companies and one for users.
They would be set up as organizational units.

ou=companies,dc=mydomain,dc=local
ou=users,dc=mydomain,dc=local

Then

ou=companyaa,ou=companies,dc=mydomain,dc=local
ou=companyaa,ou=users,dc=mydomain,dc=local

Create the additional organizational units for each company.

ou=companybb,ou=companies,dc=mydomain,dc=local
ou=companybb,ou=users,dc=mydomain,dc=local


Add the data records to the relevant organizational unit under the company organizational unit. Add the users to the relevant organizational unit under the users organizational unit.

Quote:
There are about 50 entries in each OU.
Add these 50 entries to ou=companyaa,ou=companies,dc=mydomain,dc=local.

Quote:
Now I have 3 to 5 employees per OU.
Add these 3 to 5 employees to ou=companyaa,ou=users,dc=mydomain,dc=local


I don't know what type of authentication you will be using. However, set this up so the users can login and view the directory.

Use the OpenLDAP access control lists to restrict read access of ou=companyaa,ou=companies,dc=mydomain,dc=local to the members of ou=companyaa,ou=users,dc=mydomain,dc=local.

Use the OpenLDAP access control lists to restrict read access of ou=companybb,ou=companies,dc=mydomain,dc=local to the members of ou=companybb,ou=users,dc=mydomain,dc=local.

You can find out more about OpenLDAP access control lists here:
http://www.openldap.org/doc/admin24/access-control.html

This is the point being made by acid_kewpie.

Quote:
As I mentioned on your other thread, it's not the account that has the right to do anything in itself, it's down to the acl's, which can simply be defined in your slapd.conf
Your directory structure could also be similar to:

ou=data,ou=companyaa,dc=mydomain,dc=local
ou=users,ou=companyaa,dc=mydomain,dc=local


ou=data,ou=companybb,dc=mydomain,dc=local
ou=users,ou=companybb,dc=mydomain,dc=local

Last edited by jamrock; 12-09-2010 at 11:34 AM.
 
Old 12-09-2010, 11:42 AM   #8
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 623

Original Poster
Rep: Reputation: 33
I cannot make an OU for every company which contact co÷rdinates we keep...

I want to keep my current structure.

It is still not clear to me how I give read access to some user.

Question 1 : does this 'user' need to exist as an inetOrgPerson-object, or Person-object, or User-object, or OrganizationalRole-object ? Does this user-object need to exist at all ??

Question 2 : am I right that giving access rights is always and only defined in slapd.conf ? Am I right that this has nothing to do with the position of this 'user' in an OU ?
 
Old 12-09-2010, 11:50 AM   #9
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
Quote:
Originally Posted by jonaskellens View Post
I cannot make an OU for every company which contact co÷rdinates we keep...

I want to keep my current structure.
You will need to find a way to separate the data from the users. Check the syntax of the access control lists. You may find something you can use.

Quote:
Originally Posted by jonaskellens View Post
It is still not clear to me how I give read access to some user.
Take a look at the document I have posted and then let me know the parts you don't understand.

Quote:
Originally Posted by jonaskellens View Post
Question 1 : does this 'user' need to exist as an inetOrgPerson-object, or Person-object, or User-object, or OrganizationalRole-object ? Does this user-object need to exist at all ??
The user needs to exist somewhere. How do you currently give user's access to the Linux machine?


Quote:
Originally Posted by jonaskellens View Post
Question 2 : am I right that giving access rights is always and only defined in slapd.conf ? Am I right that this has nothing to do with the position of this 'user' in an OU ?
The position of the user in the directory has nothing to do with user access rights. It is just a record in a database. Records have different attributes. A user record includes a username and a password. This is what distinguishes it from an address book record with attributes such as email address and telephone number.

Because the user record has a username and password it is possible to configure it for authentication.

Last edited by jamrock; 12-09-2010 at 11:53 AM.
 
Old 12-09-2010, 12:27 PM   #10
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 623

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by jamrock View Post
Because the user record has a username and password it is possible to configure it for authentication.
So I need:
1. an object (ex inetOrgPerson) somewhere in my tree with an attribute sn and attribute userPassword
2. a definition in slapd.conf like this :

Code:
defaultaccess   none
access to *
        by dn="cn=Manager,dc=mydomain,dc=local"  write
        by dn="cn=U101001,ou=101001,dc=mydomain,dc=local" read
Problem with this :

Code:
[root@asterisk16 ~]# ldapsearch -x -W -D 'cn=U101001,ou=101001,dc=mydomain,dc=local' -b 'ou=101001,dc=mydomain,dc=local'
Enter LDAP Password: test101001
ldap_bind: Invalid credentials (49)
Without the extra lines of "access to..." it works great. So what's wrong ??


Quote:
Originally Posted by jamrock View Post
How do you currently give user's access to the Linux machine?
/etc/passwd
I only use root and nagios account.
 
Old 12-09-2010, 01:06 PM   #11
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
Quote:
So I need:
1. an object (ex inetOrgPerson) somewhere in my tree with an attribute sn and attribute userPassword
Quote:
Without the extra lines of "access to..." it works great. So what's wrong ??
You will need to read up a bit on using OpenLDAP for user authentication.

http://www.openldap.org/doc/admin24/...tion%20Methods

Google will provide you with some more documents.

The inetOrgPerson is a schema. It might be useful to read up on OpenLDAP schemas also.

There are a few GUI tools that you can use to manage your directory. I use LDAP Admin but others exist.

http://ldapadmin.sourceforge.net/index.html

Last edited by jamrock; 12-10-2010 at 08:15 AM.
 
Old 12-09-2010, 02:03 PM   #12
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 623

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by jamrock View Post
There are a few GUI tools that you can use to manage your directory.
I use phpldapadmin...

The GUI that you suggest is for Windows... I don't use Windows.

I'm following the guide : http://www.yolinux.com/TUTORIALS/Lin...AP-BindPW.html

I still don't know why my "access to..." lines don't work.

I don't have "disallow bind_anon" and I don't have "disallow bind_simple" defined. So, my ldap-search with user "cn=U101001,ou=101001,dc=mydomain,dc=local" should give results, no ?!

Last edited by jonaskellens; 12-09-2010 at 02:10 PM.
 
Old 12-10-2010, 08:20 AM   #13
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
Quote:
The GUI that you suggest is for Windows... I don't use Windows.
Quote:
I use LDAP Admin but others exist.
Quote:
I still don't know why my "access to..." lines don't work.
Do you already have entries in your directory? Your search comes up empty. If you have entries in your directory you need to configure your ldap client.

Quote:
[root@asterisk16 ~]# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
Quote:
The configuration file for the client is the ldap.conf. It should include information similar to

# Section of ldap database from which to start searching
BASE dc=mydomain,dc=local

# Location of LDAP server.
URI ldap://server1.mydomain.local

Basically, you are letting the ldap client know where to find the ldap server information.
 
Old 12-10-2010, 09:01 AM   #14
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 623

Original Poster
Rep: Reputation: 33
Thank you for your answer.

The ldap-clients are Snom IP-phones, but that's the next step.

When I execute :
Code:
ldapsearch -x -W -D 'cn=U101001,ou=101001,dc=mydomain,dc=local' -b 'ou=101001,dc=mydomain,dc=local'
on the Ldap-server itself, do I then also need to configure ldap.conf ??

This ldapsearch gives results, no problem.

The problem occurs when I add the "access to *" lines.

Last edited by jonaskellens; 12-10-2010 at 09:02 AM.
 
Old 12-10-2010, 09:11 AM   #15
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Are you sure you actually need to use access restrictions? A phone number is hardly interesting, and just becuase they have technical access to somethign, doesn't mean that that access is going to be exercised by the client.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
authenticate AD users to openldap hkg04 Linux - Enterprise 4 02-24-2010 10:34 AM
importing users into openldap, with already existing passwds kcorupe Linux - Server 1 05-16-2008 03:36 PM
Samba users from openldap barghota Linux - Server 0 09-18-2006 03:57 PM
Proftp + confusing users and groups 80s Linux - Networking 1 08-12-2003 06:01 AM
Vsftpd revisited - Restricting users further (Less confusing this time) Korff Linux - Networking 2 06-03-2003 10:13 PM


All times are GMT -5. The time now is 10:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration