OpenLdap: confusing users

jonaskellens · 12-08-2010, 02:40 AM

Hello,

I'm confused about the different types of "users".

What I want :

1 DIT with different OU's.

In each OU there are InetorgPersons with attribute name and telephone number.

There are about 50 entries in each OU.

Now I have 3 to 5 employees per OU. What accounts do these employees need to be able to read the phone number of a certain InetorgPerson when they know the name of this Person ??

Do these 5 employees need a "Person"-objectclass, or an "OrganizationalRole"-objectclass, or something else ?

These employees do not need to change the information of the OU and its objects inside it.
Also an employee may only see the Persons in its own OU (ex Sales)

This Ldap-server is only for looking up telephone numbers, not for authentication of employees.

acid_kewpie · 12-08-2010, 01:01 PM

As I mentioned on your other thread, it's not the account that has the right to do anything in itself, it's down to the acl's, which can simply be defined in your slapd.conf

jamrock · 12-09-2010, 05:33 AM

I need to understand some things before I can help.

Have you installed OpenLDAP?

Have you set the name and password of the rootdn in the slapd.conf?

Have you set the root suffix in the slapd.conf?

Have you configured the base and uri in the ldap.conf?

What happens when you run ldapsearch -x?

jonaskellens · 12-09-2010, 05:48 AM

Quote:

Originally Posted by jamrock

Have you installed OpenLDAP?

Have you set the name and password of the rootdn in the slapd.conf?

Have you set the root suffix in the slapd.conf?

Have you configured the base and uri in the ldap.conf?

My ldap.conf :

Code:

database        bdb
suffix          "dc=mydomain,dc=local"
rootdn          "cn=Manager,dc=mydomain,dc=local"
rootpw          GuessThis
directory       /var/lib/ldap

Quote:

What happens when you run ldapsearch -x?

Code:

[root@asterisk16 ~]# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

jamrock · 12-09-2010, 08:00 AM

Quote:

database bdb
suffix "dc=mydomain,dc=local"
rootdn "cn=Manager,dc=mydomain,dc=local"
rootpw GuessThis
directory /var/lib/ldap

OpenLDAP has 2 main components. One is the client and one is the server.

The configuration file for the server is slapd.conf. The information you have listed above should be in the slapd.conf.

The configuration file for the client is the ldap.conf. It should include information similar to

# Section of ldap database from which to start searching
BASE dc=mydomain,dc=local

# Location of LDAP server.
URI ldap://server1.mydomain.local

Basically, you are letting the ldap client know where to find the ldap server information.

The next step will be to import your initial settings. Take a look at this documentat.

http://www.openldap.org/doc/admin24/quickstart.html

Here is a sample ldif file.

# Top of the directory structure
dn: dc=mydomain,dc=local
objectClass: dcObject
objectClass: organization
dc: mydomain
o: My Domain Limited
description: My Domain Limited

# Organizational Role for Directory Manager
dn: cn=Manager,dc=mydomain,dc=local
objectClass: organizationalRole
cn: Manager
description: Directory Manager

# Organization Unit to hold contact information
dn: ou=contacts,dc=mydomain,dc=local
objectClass: organizationalUnit
ou: contacts
description: Company Address Book

# Organization Unit to hold user mail information
dn: ou=mail,dc=mydomain,dc=local
objectClass: organizationalUnit
ou: mail
description: User Mail Information

Quote:

1 DIT with different OU's.

You can use the ou format above to create the organizational units.

Quote:

Now I have 3 to 5 employees per OU. What accounts do these employees need to be able to read the phone number of a certain InetorgPerson when they know the name of this Person ??

It sounds as if you want to restrict each user to have read access on a specific ou in the directory. Is this correct?

What application will people be using to read the directory information?

jonaskellens · 12-09-2010, 09:23 AM

Quote:

Originally Posted by jamrock

It sounds as if you want to restrict each user to have read access on a specific ou in the directory. Is this correct?
What application will people be using to read the directory information?

I want to restrict each inetOrgPerson to its own OU with read-rights to the telephoneNumber-attribute of the objects inside that OU.

So I have objects like :
(inetOrgPerson) dn: cn=Company AA,ou=101001,dc=mydomain,dc=local
with attribute sn and telephoneNumber
and also :
(inetOrgPerson) dn: cn=U101001,ou=101001,dc=mydomain,dc=local
with attribute sn and userPassword

These reside in the OU "101001".

What I want is that a user like U101001 is able to read the telephoneNumber of Company AA.

The ldap clients are Snom IP-phones. I use my ldap-server as phone book.

jamrock · 12-09-2010, 10:23 AM

Quote:

Originally Posted by jonaskellens

I want to restrict each inetOrgPerson to its own OU with read-rights to the telephoneNumber-attribute of the objects inside that OU.

You need to make a distinction between the record or object in the ldap directory and the users who will read the information.

For example. My directory can store mail information re: the users on my network. I must then set my security to restrict the access of users to the data in the directory.

Quote:

Originally Posted by jonaskellens

So I have objects like :
(inetOrgPerson) dn: cn=Company AA,ou=101001,dc=mydomain,dc=local
with attribute sn and telephoneNumber
and also :
(inetOrgPerson) dn: cn=U101001,ou=101001,dc=mydomain,dc=local
with attribute sn and userPassword

These reside in the OU "101001".

What I want is that a user like U101001 is able to read the telephoneNumber of Company AA.

The ldap clients are Snom IP-phones. I use my ldap-server as phone book.

Would the following approach work?

Create 2 separate branches. One for companies and one for users.
They would be set up as organizational units.

ou=companies,dc=mydomain,dc=local
ou=users,dc=mydomain,dc=local

Then

ou=companyaa,ou=companies,dc=mydomain,dc=local
ou=companyaa,ou=users,dc=mydomain,dc=local

Create the additional organizational units for each company.

ou=companybb,ou=companies,dc=mydomain,dc=local
ou=companybb,ou=users,dc=mydomain,dc=local

Add the data records to the relevant organizational unit under the company organizational unit. Add the users to the relevant organizational unit under the users organizational unit.

Quote:

There are about 50 entries in each OU.

Add these 50 entries to ou=companyaa,ou=companies,dc=mydomain,dc=local.

Quote:

Now I have 3 to 5 employees per OU.

Add these 3 to 5 employees to ou=companyaa,ou=users,dc=mydomain,dc=local

I don't know what type of authentication you will be using. However, set this up so the users can login and view the directory.

Use the OpenLDAP access control lists to restrict read access of ou=companyaa,ou=companies,dc=mydomain,dc=local to the members of ou=companyaa,ou=users,dc=mydomain,dc=local.

Use the OpenLDAP access control lists to restrict read access of ou=companybb,ou=companies,dc=mydomain,dc=local to the members of ou=companybb,ou=users,dc=mydomain,dc=local.

You can find out more about OpenLDAP access control lists here:
http://www.openldap.org/doc/admin24/access-control.html

This is the point being made by acid_kewpie.

Quote:

As I mentioned on your other thread, it's not the account that has the right to do anything in itself, it's down to the acl's, which can simply be defined in your slapd.conf

Your directory structure could also be similar to:

ou=data,ou=companyaa,dc=mydomain,dc=local
ou=users,ou=companyaa,dc=mydomain,dc=local

ou=data,ou=companybb,dc=mydomain,dc=local
ou=users,ou=companybb,dc=mydomain,dc=local

jonaskellens · 12-09-2010, 10:42 AM

I cannot make an OU for every company which contact coördinates we keep...

I want to keep my current structure.

It is still not clear to me how I give read access to some user.

Question 1 : does this 'user' need to exist as an inetOrgPerson-object, or Person-object, or User-object, or OrganizationalRole-object ? Does this user-object need to exist at all ??

Question 2 : am I right that giving access rights is always and only defined in slapd.conf ? Am I right that this has nothing to do with the position of this 'user' in an OU ?

jamrock · 12-09-2010, 10:50 AM

Quote:

Originally Posted by jonaskellens

I cannot make an OU for every company which contact coördinates we keep...

I want to keep my current structure.

You will need to find a way to separate the data from the users. Check the syntax of the access control lists. You may find something you can use.

Quote:

Originally Posted by jonaskellens

It is still not clear to me how I give read access to some user.

Take a look at the document I have posted and then let me know the parts you don't understand.

Quote:

Originally Posted by jonaskellens

Question 1 : does this 'user' need to exist as an inetOrgPerson-object, or Person-object, or User-object, or OrganizationalRole-object ? Does this user-object need to exist at all ??

The user needs to exist somewhere. How do you currently give user's access to the Linux machine?

Quote:

Originally Posted by jonaskellens

Question 2 : am I right that giving access rights is always and only defined in slapd.conf ? Am I right that this has nothing to do with the position of this 'user' in an OU ?

The position of the user in the directory has nothing to do with user access rights. It is just a record in a database. Records have different attributes. A user record includes a username and a password. This is what distinguishes it from an address book record with attributes such as email address and telephone number.

Because the user record has a username and password it is possible to configure it for authentication.

jonaskellens · 12-09-2010, 11:27 AM

Quote:

Originally Posted by jamrock

Because the user record has a username and password it is possible to configure it for authentication.

So I need:
1. an object (ex inetOrgPerson) somewhere in my tree with an attribute sn and attribute userPassword
2. a definition in slapd.conf like this :

Code:

defaultaccess   none
access to *
        by dn="cn=Manager,dc=mydomain,dc=local"  write
        by dn="cn=U101001,ou=101001,dc=mydomain,dc=local" read

Problem with this :

Code:

[root@asterisk16 ~]# ldapsearch -x -W -D 'cn=U101001,ou=101001,dc=mydomain,dc=local' -b 'ou=101001,dc=mydomain,dc=local'
Enter LDAP Password: test101001
ldap_bind: Invalid credentials (49)

Without the extra lines of "access to..." it works great. So what's wrong ??

Quote:

Originally Posted by jamrock

How do you currently give user's access to the Linux machine?

/etc/passwd
I only use root and nagios account.

jamrock · 12-09-2010, 12:06 PM

Quote:

So I need:
1. an object (ex inetOrgPerson) somewhere in my tree with an attribute sn and attribute userPassword

Quote:

Without the extra lines of "access to..." it works great. So what's wrong ??

You will need to read up a bit on using OpenLDAP for user authentication.

http://www.openldap.org/doc/admin24/...tion%20Methods

Google will provide you with some more documents.

The inetOrgPerson is a schema. It might be useful to read up on OpenLDAP schemas also.

There are a few GUI tools that you can use to manage your directory. I use LDAP Admin but others exist.

http://ldapadmin.sourceforge.net/index.html

jonaskellens · 12-09-2010, 01:03 PM

Quote:

Originally Posted by jamrock

There are a few GUI tools that you can use to manage your directory.

I use phpldapadmin...

The GUI that you suggest is for Windows... I don't use Windows.

I'm following the guide : http://www.yolinux.com/TUTORIALS/Lin...AP-BindPW.html

I still don't know why my "access to..." lines don't work.

I don't have "disallow bind_anon" and I don't have "disallow bind_simple" defined. So, my ldap-search with user "cn=U101001,ou=101001,dc=mydomain,dc=local" should give results, no ?!

jamrock · 12-10-2010, 07:20 AM

Quote:

The GUI that you suggest is for Windows... I don't use Windows.

Quote:

I use LDAP Admin but others exist.

Quote:

I still don't know why my "access to..." lines don't work.

Do you already have entries in your directory? Your search comes up empty. If you have entries in your directory you need to configure your ldap client.

Quote:

[root@asterisk16 ~]# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Quote:

The configuration file for the client is the ldap.conf. It should include information similar to

# Section of ldap database from which to start searching
BASE dc=mydomain,dc=local

# Location of LDAP server.
URI ldap://server1.mydomain.local

Basically, you are letting the ldap client know where to find the ldap server information.

jonaskellens · 12-10-2010, 08:01 AM

Thank you for your answer.

The ldap-clients are Snom IP-phones, but that's the next step.

When I execute :

Code:

ldapsearch -x -W -D 'cn=U101001,ou=101001,dc=mydomain,dc=local' -b 'ou=101001,dc=mydomain,dc=local'

on the Ldap-server itself, do I then also need to configure ldap.conf ??

This ldapsearch gives results, no problem.

The problem occurs when I add the "access to *" lines.

acid_kewpie · 12-10-2010, 08:11 AM

Are you sure you actually need to use access restrictions? A phone number is hardly interesting, and just becuase they have technical access to somethign, doesn't mean that that access is going to be exercised by the client.