Commit d289104f authored by buttle's avatar buttle

Added olcAccess to README.md

parent bf38f821
......@@ -443,6 +443,47 @@ Don't forget to update your firewall
iptables -A INPUT -p tcp -m tcp --dport 636 -j ACCEPT
# Tree permissions
Default openldap permission allow unauthenticated users to read the tree. Let's avoid that.
Edit `/tmp/access.ldif`
```
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
-
add: olcAccess
olcAccess: {0}to attrs=shadowLastChange by self write by * read
olcAccess: {1}to attrs=userPassword by self write by group.exact="cn=admins,dc=example,dc=com" write by anonymous auth by * none
olcAccess: {2}to * by self write by group.exact="cn=admins,dc=example,dc=com" write by users read
```
And import the config
ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/access.ldif
Now lets create the 'admins' groupOfMembers. All users included in this group will have admin powers.
Edit `/tmp/add_group.ldif`
```
dn: cn=group_name,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: group_name
member: uid=existing_user,ou=users,dc=example,dc=com
```
Import configuration
ldapadd -x -W -D "uid=my-user,dc=example,dc=com" -f /tmp/add_group.ldif
# Backup and Restore
## Dump databases
......@@ -569,7 +610,7 @@ userPassword: 1234
Import configuration
ldapmodify -x -W -D "uid=my-user,dc=example,dc=com" -f /tmp/add_user.ldif
ldapadd -x -W -D "uid=my-user,dc=example,dc=com" -f /tmp/add_user.ldif
## Create a group using ldif
......@@ -585,7 +626,7 @@ member: uid=existing_user,ou=users,dc=example,dc=com
Import configuration
ldapmodify -x -W -D "uid=my-user,dc=example,dc=com" -f /tmp/add_group.ldif
ldapadd -x -W -D "uid=my-user,dc=example,dc=com" -f /tmp/add_group.ldif
## Add a member to a group using ldif
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment