OpenLdap: confusing users
 

Hello,

I'm confused about the different types of "users".

What I want :

1 DIT with different OU's.

In each OU there are InetorgPersons with attribute name and telephone number.

There are about 50 entries in each OU.

Now I have 3 to 5 employees per OU. What accounts do these employees need to be able to read the phone number of a certain InetorgPerson when they know the name of this Person ??


Do these 5 employees need a "Person"-objectclass, or an "OrganizationalRole"-objectclass, or something else ?

These employees do not need to change the information of the OU and its objects inside it.
Also an employee may only see the Persons in its own OU (ex Sales)

This Ldap-server is only for looking up telephone numbers, not for authentication of employees.

As I mentioned on your other thread, it's not the account that has the right to do anything in itself, it's down to the acl's, which can simply be defined in your slapd.conf

I need to understand some things before I can help.

Have you installed OpenLDAP?

Have you set the name and password of the rootdn in the slapd.conf?

Have you set the root suffix in the slapd.conf?

Have you configured the base and uri in the ldap.conf?

What happens when you run ldapsearch -x?

My ldap.conf :

OpenLDAP has 2 main components. One is the client and one is the server.

The configuration file for the server is slapd.conf. The information you have listed above should be in the slapd.conf.

The configuration file for the client is the ldap.conf. It should include information similar to

# Section of ldap database from which to start searching
BASE dc=mydomain,dc=local

# Location of LDAP server.
URI ldap://server1.mydomain.local

Basically, you are letting the ldap client know where to find the ldap server information.

The next step will be to import your initial settings. Take a look at this documentat.

http://www.openldap.org/doc/admin24/quickstart.html

Here is a sample ldif file.

# Top of the directory structure
dn: dc=mydomain,dc=local
objectClass: dcObject
objectClass: organization
dc: mydomain
o: My Domain Limited
description: My Domain Limited

# Organizational Role for Directory Manager
dn: cn=Manager,dc=mydomain,dc=local
objectClass: organizationalRole
cn: Manager
description: Directory Manager

# Organization Unit to hold contact information
dn: ou=contacts,dc=mydomain,dc=local
objectClass: organizationalUnit
ou: contacts
description: Company Address Book

# Organization Unit to hold user mail information
dn: ou=mail,dc=mydomain,dc=local
objectClass: organizationalUnit
ou: mail
description: User Mail Information

You can use the ou format above to create the organizational units.

It sounds as if you want to restrict each user to have read access on a specific ou in the directory. Is this correct?

What application will people be using to read the directory information?

I want to restrict each inetOrgPerson to its own OU with read-rights to the telephoneNumber-attribute of the objects inside that OU.

So I have objects like :
(inetOrgPerson) dn: cn=Company AA,ou=101001,dc=mydomain,dc=local
with attribute sn and telephoneNumber
and also :
(inetOrgPerson) dn: cn=U101001,ou=101001,dc=mydomain,dc=local
with attribute sn and userPassword

These reside in the OU "101001".

What I want is that a user like U101001 is able to read the telephoneNumber of Company AA.


The ldap clients are Snom IP-phones. I use my ldap-server as phone book.

You need to make a distinction between the record or object in the ldap directory and the users who will read the information.

For example. My directory can store mail information re: the users on my network. I must then set my security to restrict the access of users to the data in the directory.

Would the following approach work?

Create 2 separate branches. One for companies and one for users.
They would be set up as organizational units.

ou=companies,dc=mydomain,dc=local
ou=users,dc=mydomain,dc=local

Then

ou=companyaa,ou=companies,dc=mydomain,dc=local
ou=companyaa,ou=users,dc=mydomain,dc=local

Create the additional organizational units for each company.

ou=companybb,ou=companies,dc=mydomain,dc=local
ou=companybb,ou=users,dc=mydomain,dc=local


Add the data records to the relevant organizational unit under the company organizational unit. Add the users to the relevant organizational unit under the users organizational unit.

Add these 50 entries to ou=companyaa,ou=companies,dc=mydomain,dc=local.

Add these 3 to 5 employees to ou=companyaa,ou=users,dc=mydomain,dc=local


I don't know what type of authentication you will be using. However, set this up so the users can login and view the directory.

Use the OpenLDAP access control lists to restrict read access of ou=companyaa,ou=companies,dc=mydomain,dc=local to the members of ou=companyaa,ou=users,dc=mydomain,dc=local.

Use the OpenLDAP access control lists to restrict read access of ou=companybb,ou=companies,dc=mydomain,dc=local to the members of ou=companybb,ou=users,dc=mydomain,dc=local.

You can find out more about OpenLDAP access control lists here:
http://www.openldap.org/doc/admin24/access-control.html

This is the point being made by acid_kewpie.

Your directory structure could also be similar to:

ou=data,ou=companyaa,dc=mydomain,dc=local
ou=users,ou=companyaa,dc=mydomain,dc=local


ou=data,ou=companybb,dc=mydomain,dc=local
ou=users,ou=companybb,dc=mydomain,dc=local

I cannot make an OU for every company which contact coördinates we keep...

I want to keep my current structure.

It is still not clear to me how I give read access to some user.

Question 1 : does this 'user' need to exist as an inetOrgPerson-object, or Person-object, or User-object, or OrganizationalRole-object ? Does this user-object need to exist at all ??

Question 2 : am I right that giving access rights is always and only defined in slapd.conf ? Am I right that this has nothing to do with the position of this 'user' in an OU ?

You will need to find a way to separate the data from the users. Check the syntax of the access control lists. You may find something you can use.

Take a look at the document I have posted and then let me know the parts you don't understand.

The user needs to exist somewhere. How do you currently give user's access to the Linux machine?


The position of the user in the directory has nothing to do with user access rights. It is just a record in a database. Records have different attributes. A user record includes a username and a password. This is what distinguishes it from an address book record with attributes such as email address and telephone number.

Because the user record has a username and password it is possible to configure it for authentication.

So I need:
1. an object (ex inetOrgPerson) somewhere in my tree with an attribute sn and attribute userPassword
2. a definition in slapd.conf like this :

Problem with this :

Without the extra lines of "access to..." it works great. So what's wrong ??


/etc/passwd
I only use root and nagios account.

You will need to read up a bit on using OpenLDAP for user authentication.

http://www.openldap.org/doc/admin24/...tion%20Methods

Google will provide you with some more documents.

The inetOrgPerson is a schema. It might be useful to read up on OpenLDAP schemas also.

There are a few GUI tools that you can use to manage your directory. I use LDAP Admin but others exist.

http://ldapadmin.sourceforge.net/index.html

I use phpldapadmin...

The GUI that you suggest is for Windows... I don't use Windows.

I'm following the guide : http://www.yolinux.com/TUTORIALS/Lin...AP-BindPW.html

I still don't know why my "access to..." lines don't work.

I don't have "disallow bind_anon" and I don't have "disallow bind_simple" defined. So, my ldap-search with user "cn=U101001,ou=101001,dc=mydomain,dc=local" should give results, no ?!

Do you already have entries in your directory? Your search comes up empty. If you have entries in your directory you need to configure your ldap client.

Thank you for your answer.

The ldap-clients are Snom IP-phones, but that's the next step.

When I execute :
on the Ldap-server itself, do I then also need to configure ldap.conf ??

This ldapsearch gives results, no problem.

The problem occurs when I add the "access to *" lines.

Are you sure you actually need to use access restrictions? A phone number is hardly interesting, and just becuase they have technical access to somethign, doesn't mean that that access is going to be exercised by the client.