![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=764297 https://bugzilla.novell.com/show_bug.cgi?id=764297#c2 Ralf Haferkamp <rhafer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |rhafer@suse.com InfoProvider|rhafer@suse.com | --- Comment #2 from Ralf Haferkamp <rhafer@suse.com> 2012-07-11 10:45:48 CEST --- The Kerberos/LDAP Chapter describe howto update OpenLDAP Access Controls via slapd.conf. While this still works, we use the cn=config backend for OpenLDAP by default (when setup via YaST). That means that OpenLDAP's configuration itself is stored inside an LDAP database, and needs to be modified via LDAP. But AFAICS the ACL change isn't even required to make Kerberos logins work for OpenLDAP. It is even dangerous to allow users to change their own loginShell without addtional checks. The "authz-regexp" thing however is correct, see below how that is done for "cn=config". Just for completeness here is how ACL change work with cn=config: To update the ACLs for a database you would e.g. update the "olcAccess" Attribute of the cn=config entry representing that database. For the first LDAP Database such a change could look like this in LDIF: dn: olcDatabase={1}hdb,cn=config replace: olcAccess olcAccess: to dn="*,ou=people,dc=example,dc=com" attrs=loginShell by self write olcAccess: to * by users read Note: This will replace all existing ACL for that data. If you want to add or delete a single ACL you can use "add" or "delete" instead of "replace". You can also add a "{<number>}" in front of the olcAcccess Attribute's values to insert ACL at a specific place in the list (the order of ACLs matters for their evaluation) To change global ACLs (those that should be in place for all database, in case none of the database specific ACLs matches you'd you the special database entry: "olcDatabase={-1}frontend,cn=config" The "autz-regexp" change in LDIF looks like this: dn: olcDatabase={-1}frontend,cn=config add: olcAuthzRegexp olcAuthzRegexp: uid=(.*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com All those changes can be applied via ldapmodify on the commandline. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.