OpenLDAP ACL not working - Error code 50 - No write access to parent

1.5k views Asked by At

I built couple of OpenLDAP servers for an application service. Both the servers seem perfectly okay on the configuration side and I can manage these with Apache Directory Studio as RootDN cn=admin,dc=somedomain,dc=com. And the replication works between them too. These are built on RHEL8 by compiling OpenLDAP source code as OpenLDAP Server packages are not provided any more. The OpenLDAP version is 2.4.52.

I'm able to create OUs and also users through Directory Studio and used one of them in the app for authentication purposes as service account. In this case the user is uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com and the OUs are as below:

  • ou=Admins,ou=People,dc=somedomain,dc=com
  • ou=Readers,ou=People,dc=somedomain,dc=com
  • ou=Users,ou=People,dc=somedomain,dc=com

The requirement now is that user svc-admin should have write/full permissions to the above OUs as the app is designed to provision new users and it'll be writing into the above OUs using svc-admin as service account. It should be able to create users and modify their attributes.

I created an ACL and was able to apply it using ldapmodify however, when I connect to the LDAP server as the svc-admin on Apache DS I can read but cannot modify or create new users. When I do that I get an error both via Apache DS and as well as in shell. Insufficient right - Error 50 - No write access to parent.

Here's the ACL that I used:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to dn.subtree="ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: to dn.subtree="ou=Users,ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: to dn.subtree="ou=Readers,ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write

It's not working. And here are my olcDatabase={1}mdb and olcDatabase={0}config files. I cleaned up the ACLs as they aren't doing any good.

olcDatabase={1}mdb

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 54063f10
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=somedomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self wr
 ite by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn
 =external,cn=auth" manage  by * none
olcAccess: {1}to dn.subtree="dc=somedomain,dc=com" by dn.subtree="gidNumber=
 0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by users read by * re
 ad
olcRootDN: cn=admin,dc=somedomain,dc=com
olcRootPW:: e1NTSEF9dkc0ZkIyYkZrYVduNU1BbTdkAHQ5ZXE0WlFEUHBSSGk=
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbMaxSize: 42949672960
structuralObjectClass: olcMdbConfig
entryUUID: 3b57a8aa-b1d8-103a-87d6-7198db52aeab
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20201103042439Z
olcSyncrepl: {0}rid=003 provider=ldaps://ldapserver01.somedomain.com binddn="
 cn=admin,dc=somedomain,dc=com" bindmethod=simple credentials="TestCreds" s
 earchbase="dc=somedomain,dc=com" type=refreshAndPersist timeout=0 network-t
 imeout=0 retry="30 5 300 +"
olcSyncrepl: {1}rid=004 provider=ldaps://ldapserver02.somedomain.com binddn="
 cn=admin,dc=somedomain,dc=com" bindmethod=simple credentials="TestCreds" s
 earchbase="dc=somedomain,dc=com" type=refreshAndPersist timeout=0 network-t
 imeout=0 retry="30 5 300 +"
olcMirrorMode: TRUE
entryCSN: 20210202222100.054442Z#000000#001#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210202222100Z

olcDatabase={0}config:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 f2b26838
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=Subschema" by * read
olcAccess: {2}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=exter
 nal,cn=auth" manage  by self write by users read by anonymous auth
olcRootDN: cn=config
structuralObjectClass: olcDatabaseConfig
entryUUID: f1608708-b1d7-103a-8934-b724f0ebd8c8
creatorsName: cn=config
createTimestamp: 20201103042234Z
olcRootPW:: e1NTSEF9dkc0ZkIyYkZrYVduNU1BbTdkAHQ5ZXE0WlFEUHBSSGk=
olcSyncrepl: {0}rid=001 provider=ldaps://ldapserver01.ugo-wallet.com binddn="
 cn=config" bindmethod=simple credentials="TestCreds" searchbase="cn=config
 " type=refreshAndPersist timeout=0 network-timeout=0 retry="30 5 300 +"
olcSyncrepl: {1}rid=002 provider=ldaps://ldapserver02.ugo-wallet.com binddn="
 cn=config" bindmethod=simple credentials="TestCreds" searchbase="cn=config
 " type=refreshAndPersist timeout=0 network-timeout=0 retry="30 5 300 +"
olcMirrorMode: TRUE
entryCSN: 20210202221926.832349Z#000000#001#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210202221926Z

How can I solve this. Any help in tackling this problem is greatly appreciated.

1

There are 1 answers

0
FairDinkum82 On

I think this might not be the appropriate approach but it worked for me. I removed the below ACLs from olcDatabase={1}mdb ..

olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self wr
 ite by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn
 =external,cn=auth" manage  by * none
olcAccess: {1}to dn.subtree="dc=somedomain,dc=com" by dn.subtree="gidNumber=
 0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by users read by * re
 ad

..and add the below ones in LDIF file and now the user account svc-admin can do everything in that application wants it to do.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword by self write by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write by * read
olcAccess: {2}to dn.subtree="ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: {3}to * by * read