OpenLDAP ACL's in SUSE, Kerberos configuration

Question

I'm implementing Kerberos with OpenLDAP manually and according to the MIT Documentation, I've to set manually this ACL:

access to dn.base=""
    by * read

access to dn.base="cn=Subschema"
    by * read

# Provide access to the realm container.
access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com"
    by dn.exact="cn=kdc-service,dc=example,dc=com" write
    by dn.exact="cn=adm-service,dc=example,dc=com" write
    by * none

# Provide access to principals, if not underneath the realm container.
access to dn.subtree= "ou=users,dc=example,dc=com"
    by dn.exact="cn=kdc-service,dc=example,dc=com" write
    by dn.exact="cn=adm-service,dc=example,dc=com" write
    by * none

access to *
    by * read

According to what I read, I've to set that in slapd.conf.

I think Suse does not use slapd.conf so I'm figuring out how should I add these entries. I'm totally stucked.

Could anybody help me?

Thank you so much.

Piotr P. Karwasz · Accepted Answer · 2019-11-30T22:54:28.157

Recent versions of OpenLDAP use LDAP itself to maintain its configuration. Everything is contained in the cn=config subtree in a database called olcDatabase={0}config,cn=config. Access to this database is usually given to the local user root on the machine.

In order to modify the configuration you have first to find your main database name:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=olcDatabaseConfig)'

where the SASL EXTERNAL method checks the uid and gid of the user running the command (so you must be root).

Once you found your database name (let's say dn: olcDatabase={1}mdb,cn=config) you need to create a file (let's say authz.ldif) in LDIF format:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.base=""
    by * read
olcAccess: to dn.base="cn=Subschema"
    by * read
olcAccess: to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com"
    by dn.exact="cn=kdc-service,dc=example,dc=com" write
    by dn.exact="cn=adm-service,dc=example,dc=com" write
    by * none
olcAccess: to dn.subtree= "ou=users,dc=example,dc=com"
    by dn.exact="cn=kdc-service,dc=example,dc=com" write
    by dn.exact="cn=adm-service,dc=example,dc=com" write
    by * none
olcAccess: to *
    by * read

This will replace all your previous olcAccess attributes with the new ones. Then you need to send the update to the OpenLDAP server:

ldapmodify -Y EXTERNAL -H ldapi:/// -f authz.ldif

Remark: On your LDAP server you usually want to access the server through the URI ldapi:/// (i.e. a UNIX socket), so you can add:

URI ldapi:///

to your ldap.conf file (man 5 ldap.conf), which has different paths on different distributions. E.g. on Debian it is in /etc/ldap/ldap.conf.

You saved my life, thank you so much. – DG DM Nov 30 '19 at 23:28 — DG DM, Nov 30 '19 at 23:28

OpenLDAP ACL's in SUSE, Kerberos configuration

1 Answers1