[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: Adding ACL to an Attribute
From: Drukpa Kunley <drukpa () micronator ! org>
Date: 2019-12-03 17:47:54
Message-ID: 0bf220ff-7cde-6015-1017-bfa672581500 () micronator ! org
[Download RAW message or body]
["attachment.htm" (text/html)]
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font size="-1" face="Courier New, Courier, monospace">Hi all,<br>
<br>
SYSTEM: NethServer-7.6.1810, a distro using Centos7.6.1810<br>
OpenLDAP: openldap-2.4.44-21.el7_6.x86_64<br>
Extra package: Self Service Password<br>
<br>
I am using Self Service Password with question/answer method to
change the password.<br>
I store the answer in an attibute named: info.<br>
<br>
$answer_objectClass = "extensibleObject";<br>
$answer_attribute = "info";<br>
<br>
The original Account provider is LDAP which I want to replace with
Active Directory.</font><font size="-1" face="Courier New,
Courier, monospace"><br>
All the user have to choose a question/answer before I replace
LDAP with AD as the Account provider.</font><font size="-1"
face="Courier New, Courier, monospace"><br>
</font>
<p><font size="-1" face="Courier New, Courier, monospace">While LDAP
is still the Account provider, anybody with console access to
the server can see the question/answer using the command:<br>
</font><font size="-1" face="Courier New, Courier, monospace"><br>
# ldapsearch -D cn=libuser,dc=directory,dc=nh -w `cat
/var/lib/nethserver/secrets/libuser` -h 127.0.0.1</font><br>
</p>
<font size="-1" face="Courier New, Courier, monospace"># toto,
People, directory.nh<br>
dn: uid=toto,ou=People,dc=directory,dc=nh<br>
...<br>
objectClass: posixAccount<br>
objectClass: shadowAccount<br>
objectClass: inetOrgPerson<br>
objectClass: extensibleObject<br>
shadowLastChange: 18220<br>
userPassword:: cm9ibTEyMDQ0OQ==<br>
info: {car}Honda<br>
<br>
I created a Virtual Machine to test the scenario with 3 users.<br>
<br>
In NethServer, the original Account provider is LDAP.<br>
I did a script to extract the users and their answers to file.ldif<br>
I remove LDAP.<br>
I install Active Directory module.<br>
I import the users/groups to AD. In the importation, AD creates
new passwords for the imported users.<br>
I add a section to Self Service Password for AD.<br>
I modify AD with info.ldip to include the answer.<br>
<br>
# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H
/var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif<br>
Modified 3 records successfully<br>
#<br>
<br>
The users can then modify their password responding to the same
question/answer they had with LDAP.<br>
All is working perfectly.<br>
<br>
PROBLEM:<br>
I cannot encrypt the answer in LDAP because when I import the
users to Active Directory, it cannot reads the encrypted answer. I
think that AD is using another way to encrypt/decypt?<br>
If I don't encrypt the answer, the importation to AD is working
correctly.<br>
<br>
While still using LDAP as Account provider and before I change it
to Active Directory, I would like to add an additional ACL so
nobody can read the answer stored in "info".<br>
<br>
After googling a lot I found a way to describe the ACL. I hope it
is the right way.<br>
<br>
access to attrs=info<br>
by self write<br>
by anonymous auth<br>
by group="cn=domain admins,ou=Groups,dc=directory,dc=nh" write<br>
by * none<br>
<br>
How can I create the content of </font><font size="-1"
face="Courier New, Courier, monospace"><font size="-1"
face="Courier New, Courier, monospace">newacl.ldif file to be
able to </font>add that ACL to OpenLDAP (ldapmodify -Y
EXTERNAL -H ldapi:/// -f /temp/newacl.ldif)<br>
<br>
Thank you,<br>
<br>
Drukpa</font>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic