389 Directory Server 1.3.x Users, Groups and ACIs
Now that our password policy is in place (see 389 Directory Server 1.3.x Password Policy), it's time to add some users and groups to our directory.
Let's generate some random users to get started and three POSIX + organizational groups as well.
[root@ldap01 ~]# yum -y install words
...
dirsrv@ldap01 $ cat << EOF > genUsers.sh
#!/bin/bash
set -o errexit
set -o nounset
set -o pipefail
LDAP_GRP=(PROD UAT DEV)
declare -A LDAP_GRPID=([PROD]=1001 [UAT]=1002 [DEV]=1003)
NAMES=( $(egrep -v '[[:punct:]]' /usr/share/dict/words) )
NUMNAMES="${#NAMES[*]}"
RNDNR=( $(shuf -i 0-$NUMNAMES -n 400) )
mkdir -p People
for i in {0..200}; do
GN="${NAMES[${RNDNR[$i]}]}"
SN="${NAMES[${RNDNR[$i+100]}]}"
UIDN="$(( 1001 + $i ))"
UIDL="${SN:0:6}$(( $RANDOM % 99 ))"
UIDL="${UIDL,,}"
GRPRND="$(( $RANDOM % 3 ))"
GRPL="${LDAP_GRP[$GRPRND]}"
echo "Creating People/${UIDL}.ldif ..."
cat << EOT > People/${UIDL}.ldif
dn: uid=$UIDL,ou=People,dc=unix,dc=mycompany,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
ou: $GRPL
sn: ${SN^}
cn: ${GN^} ${SN^}
uid: $UIDL
uidNumber: $UIDN
gidNumber: ${LDAP_GRPID[$GRPL]}
homeDirectory: /home/$UIDL
loginShell: /bin/bash
gecos: ${GN^} ${SN^}, $UIDL@mycompany.com
mail: $UIDL@mycompany.com
userPassword: changeme987
EOT
done
EOF
dirsrv@ldap01 $ chmod +x genUsers.ldif
dirsrv@ldap01 $ ./genUsers.sh
...
Creating People/smiddy6.ldif ...
...
dirsrv@ldap01 $ ldapadd -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ
dn: cn=prod,ou=Groups,dc=unix,dc=mycompany,dc=com
objectClass: top
objectClass: posixGroup
cn: prod
gidNumber: 1001
dn: cn=uat,ou=Groups,dc=unix,dc=mycompany,dc=com
objectClass: top
objectClass: posixGroup
cn: uat
gidNumber: 1002
dn: cn=dev,ou=Groups,dc=unix,dc=mycompany,dc=com
objectClass: top
objectClass: posixGroup
cn: dev
gidNumber: 1003
^D
...
dirsrv@ldap01 $ cat People/*.ldif | ldapadd -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ
...
We should have 200 LDAP users and 3 LDAP groups now. Next we want some manager groups and ACIs so that our users are able to edit certain attributes. I'll show this only for the PROD group (which is for POSIX group prod with gid 1001).
dirsrv@ldap01 $ ldapsearch -D "cn=Directory Manager" -xy /etc/dirsrv/.dmpw -ZZ -LLL \
-b "ou=People,dc=unix,dc=mycompany,dc=com" "(&(objectclass=posixAccount)(gidNumber=1001))" uid gidNumber
...
dn: uid=aeger10,ou=People,dc=unix,dc=mycompany,dc=com
uid: aeger10
gidNumber: 1001
...
dn: uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com
uid: smiddy6
gidNumber: 1001
...
dirsrv@ldap01 $ ldapadd -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ
dn: cn=PROD Managers,ou=Groups,dc=unix,dc=mycompany,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: PROD Managers
description: People who can manage PROD entries
ou: Groups
uniqueMember: uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com
^D
...
The LDAP user smiddy6
is now a group manager for the PROD group. Let's create an ACI so that the PROD Managers
group can actually do something.
dirsrv@ldap01 $ ldapadd -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ
dn: ou=People,dc=unix,dc=mycompany,dc=com
changetype: modify
add: aci
aci: (targetattr = "gecos || loginShell || userPassword")(targetfilter ="(ou
=PROD)")(version 3.0;acl "PROD Group Permissions";allow (write)(groupdn = "
ldap:///cn=PROD Managers,ou=Groups,dc=unix,dc=mycompany,dc=com");)
^D
...
Let's check if those ACIs work.
dirsrv@ldap01 $ ldappasswd -D "uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com" -xW -ZZ -AS
Old password: changeme987
Re-enter old password: changeme987
New password: xxx
Re-enter new password: xxx
Enter LDAP Password: changeme987
dirsrv@ldap01 $ ldapsearch -D "uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com" -xLLL -W \
-b "uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com" -ZZ \
-E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com' "(objectClass=*)"
...
entryLevelRights: v
attributeLevelRights: objectClass:rsc, ou:rsc, sn:rsc, cn:rsc, uid:rsc, uidNum
ber:rsc, gidNumber:rsc, homeDirectory:rscwo, loginShell:rscwo, gecos:rscwo, s
hadowLastChange:rsc, userPassword:wo
With those access controls in place users can change their own gecos, loginShell (r(ead), s(search), c(ompare), w(rite) and (o)bliterate) and userPassword (w(rite), (o)bliterate) attributes. PROD group managers (like smiddy6
) should be able to change the same attributes for other PROD group members (like aeger10
) as well.
dirsrv@ldap01 $ ldapsearch -D "uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com" -xLLL -W -b "uid=aeger10,ou=People,dc=unix,dc=mycompany,dc=com" -ZZ -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com' "(objectClass=*)"
...
entryLevelRights: v
attributeLevelRights: objectClass:rsc, ou:rsc, sn:rsc, cn:rsc, uid:rsc, uidNum
ber:rsc, gidNumber:rsc, homeDirectory:rscwo, loginShell:rscwo, gecos:rscwo, s
hadowLastChange:rsc, userPassword:wo
...
Looks good. LDAP user aeger10
on the other hand is not a group manager, so (s)he should have no rights to update any attributes for smiddy6
.
dirsrv@ldap01 $ ldappasswd -D "uid=aeger10,ou=People,dc=unix,dc=mycompany,dc=com" -xW -ZZ -AS
...
dirsrv@ldap01 $ ldapsearch -D "uid=aeger10,ou=People,dc=unix,dc=mycompany,dc=com" -xLLL -W \
-b "uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com" -ZZ \
-E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=aeger10,ou=People,dc=unix,dc=mycompany,dc=com' "(objectClass=*)"
...
entryLevelRights: v
attributeLevelRights: objectClass:rsc, ou:rsc, sn:rsc, cn:rsc, uid:rsc, uidNum
ber:rsc, gidNumber:rsc, homeDirectory:rsc, loginShell:rsc, gecos:rsc, shadowL
astChange:rsc, userPassword:none
I call that a win.
Keep in mind that you don't want any user to be able to change the uidNumber attribute! Otherwise you'll end up with a bunch of LDAP users with uid 0 on your servers.
Read the next part at 389 Directory Server 1.3.x Replication.
Links