https://bugzilla.novell.com/show_bug.cgi?id=764297 https://bugzilla.novell.com/show_bug.cgi?id=764297#c2 Ralf Haferkamp changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |rhafer@suse.com InfoProvider|rhafer@suse.com | --- Comment #2 from Ralf Haferkamp 2012-07-11 10:45:48 CEST --- The Kerberos/LDAP Chapter describe howto update OpenLDAP Access Controls via slapd.conf. While this still works, we use the cn=config backend for OpenLDAP by default (when setup via YaST). That means that OpenLDAP's configuration itself is stored inside an LDAP database, and needs to be modified via LDAP. But AFAICS the ACL change isn't even required to make Kerberos logins work for OpenLDAP. It is even dangerous to allow users to change their own loginShell without addtional checks. The "authz-regexp" thing however is correct, see below how that is done for "cn=config". Just for completeness here is how ACL change work with cn=config: To update the ACLs for a database you would e.g. update the "olcAccess" Attribute of the cn=config entry representing that database. For the first LDAP Database such a change could look like this in LDIF: dn: olcDatabase={1}hdb,cn=config replace: olcAccess olcAccess: to dn="*,ou=people,dc=example,dc=com" attrs=loginShell by self write olcAccess: to * by users read Note: This will replace all existing ACL for that data. If you want to add or delete a single ACL you can use "add" or "delete" instead of "replace". You can also add a "{<number>}" in front of the olcAcccess Attribute's values to insert ACL at a specific place in the list (the order of ACLs matters for their evaluation) To change global ACLs (those that should be in place for all database, in case none of the database specific ACLs matches you'd you the special database entry: "olcDatabase={-1}frontend,cn=config" The "autz-regexp" change in LDIF looks like this: dn: olcDatabase={-1}frontend,cn=config add: olcAuthzRegexp olcAuthzRegexp: uid=(.*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com All those changes can be applied via ldapmodify on the commandline. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=764297 https://bugzilla.novell.com/show_bug.cgi?id=764297#c4 --- Comment #4 from Ralf Haferkamp 2012-07-18 16:19:28 CEST --- (In reply to comment #3) [..]

Is this my mistake or is something wrong? The LDIF I pasted expresses an LDAP Modify Operation, so feeding that into ldapadd is wrong. Use ldapmodify.

(As a sidenote, I haven't actually tested the LDIF myself I just created that one as an example so it might contain bugs. As I mentioned changing the ACLs is not required for the setup described in the manual, And that is the real bug in the manual. See comment#2) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=764297 https://bugzilla.novell.com/show_bug.cgi?id=764297#c6 --- Comment #6 from Ralf Haferkamp 2012-07-19 17:51:12 CEST --- (In reply to comment #5)

Hello Ralf,

Then I have wrote a wrong Bugzilla Entry ;).

But the exampla don't work also with ldapmodify

ldapmodify -Y EXTERNAL -H ldapi:/// -f regex_user.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcAuthzRegexp' not allowed

My example contained the wrong LDAP DN, sorry for that. Use "cn=config" instead of "olcDatabase={-1}frontend,cn=config" for the "olcAuthzRegexp". (Hint: the slapd-config man page give a pretty good overview about which setting belongs to which cn=config entry) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.