CODEWITHSUNDEEP
dockeropenldap
Leos Literak
Leos Literak

Reputation: 9406

Access right in docker osixia LDAP

I have a working OpenLDAP installation initialized with LDIF. I want to populate the same data in osixia/docker-openldap. Data are loaded but only admin can see them. The users from LDIF cannot see their own branch.

extend-osixia-openldap\environment\my-env.startup.yaml

LDAP_DOMAIN: centaur.tld

extend-osixia-openldap\bootstrap\ldif\demo_data.ldif

dn: cn=ldapadm,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
cn: ldapadm
sn: LDAP Manager
userpassword: VerySecret

dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to *
              by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
              by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange
              by self                               write
              by dn="cn=ldapadm,dc=centaur,dc=TLD" write
              by anonymous                          auth
              by *                                  none
olcAccess: {2}to *
              by self                               read
              by *                                  read

dn: ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: ABC

dn: ou=people,ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: people

dn: cn=manager,ou=people,ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: manager
sn: Manager
userpassword: VerySecret

Shell

>docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b ou=people,ou=ABC,dc=centaur,dc=TLD -D "cn=manager,ou=people,ou=ABC,dc=centaur,dc=TLD" -w VerySecret
# search result
search: 2
result: 32 No such object

>docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b ou=people,ou=ABC,dc=centaur,dc=TLD -D "cn=admin,dc=centaur,dc=TLD" -w admin
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10

This configuration did not work either:

olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: to attrs=userPassword,shadowLastChange by self write by  dn="cn=ldapadm,dc=centaur,dc=TLD" write by anonymous auth by * none
olcAccess: to * by self read by dn="cn=ldapadm,dc=centaur,dc=TLD" write by * none
olcAccess: to * by self write by * read

How to configure this image so the new users can browse its content?

UPDATE

It seems that my config was not applied:

docker exec %CONTAINER% ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"

olcSuffix: dc=centaur,dc=TLD
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=centaur,dc=TLD" write by anonymous auth by * none
olcAccess: {2}to * by self read by dn="cn=admin,dc=centaur,dc=TLD" write by
dn="cn=readonly,dc=centaur,dc=TLD" read by * none

Upvotes: 0

Views: 2833

Answers (1)

Leos Literak
Leos Literak

Reputation: 9406

This is my working setup. The trouble was that let the environment variable LDAP_READONLY_USER: true and that caused overwriting of my security import (osixia/docker-openldap/issues/456).

Directory hierarchy

enter image description here

98-data.ldif

dn: cn=ldapadm,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
cn: ldapadm
sn: LDAP Manager
userpassword: VerySecret

dn: ou=ABC,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: ABC

dn: cn=manager,ou=ABC,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: manager
givenName: Eve
sn: Manager
displayName: Eve Manager
userpassword: VerySecret

99-config.ldif

dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to *
            by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
            by * break
olcAccess: to attrs=userPassword,shadowLastChange
            by self write
            by dn="cn=ldapadm,dc=centaur,dc=TLD" write
            by anonymous auth
            by * none
olcAccess: to * by self read
            by dn="cn=admin,dc=centaur,dc=TLD" write
            by dn="cn=ldapadm,dc=centaur,dc=TLD" write
            by users read
            by * none

my-env.startup.yaml

LDAP_ORGANISATION: Centaur
LDAP_DOMAIN: centaur.TLD
LDAP_ADMIN_PASSWORD: admin
LDAP_CONFIG_PASSWORD: config  
LDAP_READONLY_USER: false
LDAP_TLS: false
LDAP_TLS_ENFORCE: false

Dockerfile

FROM osixia/openldap:1.4.0
MAINTAINER Leos Literak <[email protected]>

ADD bootstrap /container/service/slapd/assets/config/bootstrap
ADD certs /container/service/slapd/assets/certs
ADD environment /container/environment/01-custom

Commands

docker build -t leos/ABC-ldap:0.0.13 --rm .
docker ps
set CONTAINER=dbad6fe6798e
docker run -p 389:389 -p 636:636  --detach leos/ABC-ldap:0.0.13  --loglevel debug
docker exec %CONTAINER% ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"
docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b dc=centaur,dc=TLD -D "cn=admin,dc=centaur,dc=TLD" -w admin
docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b dc=centaur,dc=TLD -D "cn=manager,ou=ABC,dc=centaur,dc=TLD" -w VerySecret
docker stop %CONTAINER%

Upvotes: 1

Related Questions