Tuesday, January 8, 2019

389 Directory Server 1.3.x Users, Groups and ACIs

389 Directory Server 1.3.x Users, Groups and ACIs

Now that our password policy is in place (see 389 Directory Server 1.3.x Password Policy), it's time to add some users and groups to our directory.

Let's generate some random users to get started and three POSIX + organizational groups as well.

[root@ldap01 ~]# yum -y install words
...
dirsrv@ldap01 $ cat << EOF > genUsers.sh
#!/bin/bash

set -o errexit
set -o nounset
set -o pipefail

LDAP_GRP=(PROD UAT DEV)
declare -A LDAP_GRPID=([PROD]=1001 [UAT]=1002 [DEV]=1003)
NAMES=( $(egrep -v '[[:punct:]]' /usr/share/dict/words) )

NUMNAMES="${#NAMES[*]}"

RNDNR=( $(shuf -i 0-$NUMNAMES -n 400) )

mkdir -p People

for i in {0..200}; do
  GN="${NAMES[${RNDNR[$i]}]}"
  SN="${NAMES[${RNDNR[$i+100]}]}"
  UIDN="$(( 1001 + $i ))"
  UIDL="${SN:0:6}$(( $RANDOM % 99 ))"
  UIDL="${UIDL,,}"
  GRPRND="$(( $RANDOM % 3 ))"
  GRPL="${LDAP_GRP[$GRPRND]}"

  echo "Creating People/${UIDL}.ldif ..."
  cat << EOT > People/${UIDL}.ldif
dn: uid=$UIDL,ou=People,dc=unix,dc=mycompany,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
ou: $GRPL
sn: ${SN^}
cn: ${GN^} ${SN^}
uid: $UIDL
uidNumber: $UIDN
gidNumber: ${LDAP_GRPID[$GRPL]}
homeDirectory: /home/$UIDL
loginShell: /bin/bash
gecos: ${GN^} ${SN^}, $UIDL@mycompany.com
mail: $UIDL@mycompany.com
userPassword: changeme987

EOT
done
EOF
dirsrv@ldap01 $ chmod +x genUsers.ldif
dirsrv@ldap01 $ ./genUsers.sh
...
Creating People/smiddy6.ldif ...
...

dirsrv@ldap01 $ ldapadd -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ
dn: cn=prod,ou=Groups,dc=unix,dc=mycompany,dc=com
objectClass: top
objectClass: posixGroup
cn: prod
gidNumber: 1001

dn: cn=uat,ou=Groups,dc=unix,dc=mycompany,dc=com
objectClass: top
objectClass: posixGroup
cn: uat
gidNumber: 1002

dn: cn=dev,ou=Groups,dc=unix,dc=mycompany,dc=com
objectClass: top
objectClass: posixGroup
cn: dev
gidNumber: 1003
^D
...
dirsrv@ldap01 $ cat People/*.ldif | ldapadd -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ
...

We should have 200 LDAP users and 3 LDAP groups now. Next we want some manager groups and ACIs so that our users are able to edit certain attributes. I'll show this only for the PROD group (which is for POSIX group prod with gid 1001).

dirsrv@ldap01 $ ldapsearch -D "cn=Directory Manager" -xy /etc/dirsrv/.dmpw -ZZ -LLL \
  -b "ou=People,dc=unix,dc=mycompany,dc=com" "(&(objectclass=posixAccount)(gidNumber=1001))" uid gidNumber
...
dn: uid=aeger10,ou=People,dc=unix,dc=mycompany,dc=com
uid: aeger10
gidNumber: 1001
...
dn: uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com
uid: smiddy6
gidNumber: 1001
...

dirsrv@ldap01 $ ldapadd -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ
dn: cn=PROD Managers,ou=Groups,dc=unix,dc=mycompany,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: PROD Managers
description: People who can manage PROD entries
ou: Groups
uniqueMember: uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com
^D
...

The LDAP user smiddy6 is now a group manager for the PROD group. Let's create an ACI so that the PROD Managers group can actually do something.

dirsrv@ldap01 $ ldapadd -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ
dn: ou=People,dc=unix,dc=mycompany,dc=com
changetype: modify
add: aci
aci: (targetattr = "gecos || loginShell || userPassword")(targetfilter ="(ou
 =PROD)")(version 3.0;acl "PROD Group Permissions";allow (write)(groupdn = "
 ldap:///cn=PROD Managers,ou=Groups,dc=unix,dc=mycompany,dc=com");)
^D
...

Let's check if those ACIs work.

dirsrv@ldap01 $ ldappasswd -D "uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com" -xW -ZZ -AS
Old password: changeme987
Re-enter old password: changeme987
New password: xxx
Re-enter new password: xxx
Enter LDAP Password: changeme987

dirsrv@ldap01 $ ldapsearch -D "uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com" -xLLL -W \
  -b "uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com" -ZZ \
  -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com' "(objectClass=*)"
...
entryLevelRights: v
attributeLevelRights: objectClass:rsc, ou:rsc, sn:rsc, cn:rsc, uid:rsc, uidNum
 ber:rsc, gidNumber:rsc, homeDirectory:rscwo, loginShell:rscwo, gecos:rscwo, s
 hadowLastChange:rsc, userPassword:wo

With those access controls in place users can change their own gecos, loginShell (r(ead), s(search), c(ompare), w(rite) and (o)bliterate) and userPassword (w(rite), (o)bliterate) attributes. PROD group managers (like smiddy6) should be able to change the same attributes for other PROD group members (like aeger10) as well.

dirsrv@ldap01 $ ldapsearch -D "uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com" -xLLL -W -b "uid=aeger10,ou=People,dc=unix,dc=mycompany,dc=com" -ZZ -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com' "(objectClass=*)"
...
entryLevelRights: v
attributeLevelRights: objectClass:rsc, ou:rsc, sn:rsc, cn:rsc, uid:rsc, uidNum
 ber:rsc, gidNumber:rsc, homeDirectory:rscwo, loginShell:rscwo, gecos:rscwo, s
 hadowLastChange:rsc, userPassword:wo
...

Looks good. LDAP user aeger10 on the other hand is not a group manager, so (s)he should have no rights to update any attributes for smiddy6.

dirsrv@ldap01 $ ldappasswd -D "uid=aeger10,ou=People,dc=unix,dc=mycompany,dc=com" -xW -ZZ -AS
...
dirsrv@ldap01 $ ldapsearch -D "uid=aeger10,ou=People,dc=unix,dc=mycompany,dc=com" -xLLL -W \
  -b "uid=smiddy6,ou=People,dc=unix,dc=mycompany,dc=com" -ZZ \
  -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=aeger10,ou=People,dc=unix,dc=mycompany,dc=com' "(objectClass=*)"
...
entryLevelRights: v
attributeLevelRights: objectClass:rsc, ou:rsc, sn:rsc, cn:rsc, uid:rsc, uidNum
 ber:rsc, gidNumber:rsc, homeDirectory:rsc, loginShell:rsc, gecos:rsc, shadowL
 astChange:rsc, userPassword:none

I call that a win.

Keep in mind that you don't want any user to be able to change the uidNumber attribute! Otherwise you'll end up with a bunch of LDAP users with uid 0 on your servers.

Read the next part at 389 Directory Server 1.3.x Replication.

Links

at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

389 Directory Server 1.3.x LDAP client authentication

389 Directory Server 1.3.x LDAP client authentication Last time we did a multi-master replication setup, see 389 Directory Server 1.3.x Repl...