Results 1 to 6 of 6

Thread: Access to zimbraAccountStatus atribute for regular user

Hybrid View

  1. #1
    Join Date
    Nov 2012
    Location
    Chernigov (Ukraine)
    Posts
    9
    Rep Power
    3

    Question Access to zimbraAccountStatus atribute for regular user

    Hi all!
    I want to use Zimbra's ldap for auth on all our services, but for security purposes i don't want to use uid=zimbra,cn=admins,cn=zimbra account as bind-dn. I want to create a regular ZCS user and give it read access to common attributes and to zimbraAccountStatus attribute (i want to use it in ldap filter to check is account closed or not).
    I know that i must ajust ldap acl's. How can i do this with ldapmodify, or is there any opportunities do this without ldap modify?

  2. #2
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    476
    Rep Power
    4

    Default

    Quote Originally Posted by m0ps View Post
    Hi all!
    I want to use Zimbra's ldap for auth on all our services, but for security purposes i don't want to use uid=zimbra,cn=admins,cn=zimbra account as bind-dn. I want to create a regular ZCS user and give it read access to common attributes and to zimbraAccountStatus attribute (i want to use it in ldap filter to check is account closed or not).
    I know that i must ajust ldap acl's. How can i do this with ldapmodify, or is there any opportunities do this without ldap modify?
    Hello m0ps,


    Unless you know exactly what you need, i strongly advice to not change Zimbra LDAP.

    There's a few reasons, say at least, to follow this advice.

    However, you can adjust your LDAP queryes using a regular Zimbra user to detect if account exists or not.

    ccelis.

  3. #3
    Join Date
    Nov 2012
    Location
    Chernigov (Ukraine)
    Posts
    9
    Rep Power
    3

    Default

    Hi ccelis. Thanks for your reply.
    Quote Originally Posted by ccelis5215 View Post
    Unless you know exactly what you need, i strongly advice to not change Zimbra LDAP.
    I know what i want to do. I need grant read access to zimbraAccountStatus ldap atribute for some ZCS users.

    Quote Originally Posted by ccelis5215 View Post
    However, you can adjust your LDAP queryes using a regular Zimbra user to detect if account exists or not.
    But user may be at "closed" state, and if I use regular Zimbra user as bind-dn I can't determine this, because it cant access to zimbraAccountStatus ldap attribute.

  4. #4
    Join Date
    Nov 2012
    Location
    Chernigov (Ukraine)
    Posts
    9
    Rep Power
    3

    Arrow Sollution

    Finally i found a solution:
    I create zcs-acl.ldif with next content
    Code:
    dn: olcDatabase={2}mdb,cn=config
    changetype: Modify
    add: olcAccess
    olcAccess: to attrs=zimbraAccountStatus by dn.base="uid=binduser,ou=people,dc=domain,dc=com" read
    and import it to ldap via
    Code:
    /opt/zimbra/openldap/bin/ldapmodify -D cn=config -W -x -H ldapi:/// -f /tmp/zcs-acl.ldif
    Now I can check is ACL is applied via:
    Code:
    sudo /opt/zimbra/openldap/sbin/slapacl -b "uid=user,ou=people,dc=domain,dc=com" -D "uid=binduser,ou=people,dc=domain,dc=com" "zimbraAccountStatus/read" -F /opt/zimbra/data/ldap/config/
    After minor update from 8.0.2 to 8.0.3 all is ok. But now before each update ACL checks is needed. If in new version there is more than 10 ACLs (in 8.0.3 it is 10) it's necessary remove custom ACL (number 11) and add it again after the update. Current ACLs can be checked in file /opt/zimbra/data/ldap/config/cn=config/olcDatabase={2}mdb.ldif

  5. #5
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    476
    Rep Power
    4

    Default

    Quote Originally Posted by m0ps View Post
    Finally i found a solution:
    I create zcs-acl.ldif with next content
    Code:
    dn: olcDatabase={2}mdb,cn=config
    changetype: Modify
    add: olcAccess
    olcAccess: to attrs=zimbraAccountStatus by dn.base="uid=binduser,ou=people,dc=domain,dc=com" read
    and import it to ldap via
    Code:
    /opt/zimbra/openldap/bin/ldapmodify -D cn=config -W -x -H ldapi:/// -f /tmp/zcs-acl.ldif
    Now I can check is ACL is applied via:
    Code:
    sudo /opt/zimbra/openldap/sbin/slapacl -b "uid=user,ou=people,dc=domain,dc=com" -D "uid=binduser,ou=people,dc=domain,dc=com" "zimbraAccountStatus/read" -F /opt/zimbra/data/ldap/config/
    After minor update from 8.0.2 to 8.0.3 all is ok. But now before each update ACL checks is needed. If in new version there is more than 10 ACLs (in 8.0.3 it is 10) it's necessary remove custom ACL (number 11) and add it again after the update. Current ACLs can be checked in file /opt/zimbra/data/ldap/config/cn=config/olcDatabase={2}mdb.ldif
    Good, thanks for sharing!

    ccelis

  6. #6
    Join Date
    Nov 2012
    Location
    Chernigov (Ukraine)
    Posts
    9
    Rep Power
    3

    Default

    I found a problem when using proposed modifications. After applying ACL user uid=zimbra,cn=admins,cn=zimbra loses access to this attributes. To get around this problem, use the following ACL:
    Code:
    dn: olcDatabase={2}mdb,cn=config
    changetype: Modify
    add: olcAccess
    olcAccess: to attrs=zimbraAccountStatus by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=binduser,ou=people,dc=domain,dc=com" read

Similar Threads

  1. modify zimbraAccountStatus via SOAP
    By Cam in forum Developers
    Replies: 0
    Last Post: 08-09-2012, 10:30 AM
  2. zimbraSambaPassword Extension - LDAP Atribute Name
    By ropana in forum Administrators
    Replies: 3
    Last Post: 01-07-2010, 12:26 AM
  3. Replies: 0
    Last Post: 03-27-2009, 06:42 PM
  4. Open source version + regular MS Outlook access (IMAP)
    By midair77 in forum Installation
    Replies: 1
    Last Post: 07-07-2007, 06:31 PM
  5. zimbraAccountStatus
    By tron in forum Developers
    Replies: 1
    Last Post: 01-24-2006, 12:50 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •