i have installed openLdap server on a Rokye Linux:
[root@localhost etc]# cat rocky-release
Rocky Linux release 8.8 (Green Obsidian)
I created the manager account following this guide on how to forge. The installation created the mdb files, i imported the default schema and i created some organizationalPersons.
The purpose is to restrict the access from specific IP addresses, i want to deny access from IP sn 172..+ for user A and i want to grant full access to the user B.
I tried to modify directly the file olcDatabase={2}mdb.ldif in this way:
[root@localhost cn=config]# cat olcDatabase\=\{2\}mdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 78f71d75
dn: olcDatabase={2}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcMdbConfig
entryUUID: 36722bb2-f64a-103d-9b51-4f57d349a308
creatorsName: cn=config
createTimestamp: 20231003150645Z
olcSuffix: dc=hwdomain,dc=lan
olcRootDN: cn=Manager,dc=hwdomain,dc=lan
olcRootPW:: e1NTSEF9VmNVdGlFZ0pEcmQrdnZzSGE5MzloK0VxbXdEQzJpYW8=
olcAccess: {0}to * by dn="cn=A,ou=People,dc=hwdomain,dc=lan" by peername.regex=IP=172\..+ none by * break
olcAccess: {1}to * by dn="cn=B,ou=People,dc=hwdomain,dc=lan" by peername.regex=IP=172\..+ manage by * break
olcAccess: {2}to * by * none
entryCSN: 20231004134853.723210Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20231004134853Z
[root@localhost cn=config]#
Trying to deny the access for A from 172.* and to consent the access for B from 172.*. I tried too with this type of predicates:
olcAccess: {0}to * by dn.base="cn=A,ou=People,dc=hwdomain,dc=lan" by peername.regex=IP=172\..+ none by * break
olcAccess: {1}to * by dn.base="cn=B,ou=People,dc=hwdomain,dc=lan" by peername.regex=IP=172\..+ manage by * break
olcAccess: {2}to * by * none
or that one (with and without .base):
olcAccess: {0}to * by dn.base="cn=A,ou=People,dc=hwdomain,dc=lan" by peername.regex=IP=172\..+ none
olcAccess: {1}to * by dn.base="cn=B,ou=People,dc=hwdomain,dc=lan" by peername.regex=IP=172\..+ manage
olcAccess: {2}to * by * none
Unfortunately, the access doesn't work for any user:
Oct 04 18:29:23 localhost.localdomain slapd[2382]: conn=1008 fd=13 ACCEPT from IP=192.168.230.1:57914 (IP=0.0.0.0:389)
Oct 04 18:29:23 localhost.localdomain slapd[2382]: conn=1008 op=0 BIND dn="cn=aaa,ou=People,dc=hwdomain,dc=lan" method=128
Oct 04 18:29:23 localhost.localdomain slapd[2382]: conn=1008 op=0 RESULT tag=97 err=49 text=
Oct 04 18:29:23 localhost.localdomain slapd[2382]: conn=1008 fd=13 closed (connection lost)
Oct 04 18:29:44 localhost.localdomain slapd[2382]: conn=1009 fd=13 ACCEPT from IP=192.168.230.1:57921 (IP=0.0.0.0:389)
Oct 04 18:29:44 localhost.localdomain slapd[2382]: conn=1009 op=0 BIND dn="cn=aaa,ou=People,dc=hwdomain,dc=lan" method=128
Oct 04 18:29:44 localhost.localdomain slapd[2382]: conn=1009 op=0 RESULT tag=97 err=49 text=
Oct 04 18:29:44 localhost.localdomain slapd[2382]: conn=1009 fd=13 closed (connection lost)
Could anybody help me to find the resolution path? Do u have any tips and/or triks to suggest? I tried all the way documented on OpenLDAP guide.
OpenLDAP version are these:
[root@localhost etc]# yum list installed | egrep -i "open.*ldap"
openldap.x86_64 2.4.46-18.el8 @anaconda
openldap-clients.x86_64 2.4.46-18.el8 @baseos
openldap-servers.x86_64 2.4.46-18.el8 @powertools
I really appreciate any kind of help, i'm in serious trouble.
Thanks for reading!!
What did i try?
- manual modification of MDB file
- modification of MDB file via ldapmodify
What do i need? set olcAccess to restrict access on LDAP from specific subnet.