Results 1 to 6 of 6

Thread: Access to zimbraAccountStatus atribute for regular user

  1. #1
    m0ps is offline Junior Member
    Join Date
    Nov 2012
    Location
    Chernigov (Ukraine)
    Posts
    9
    Rep Power
    2

    Question Access to zimbraAccountStatus atribute for regular user

    Hi all!
    I want to use Zimbra's ldap for auth on all our services, but for security purposes i don't want to use uid=zimbra,cn=admins,cn=zimbra account as bind-dn. I want to create a regular ZCS user and give it read access to common attributes and to zimbraAccountStatus attribute (i want to use it in ldap filter to check is account closed or not).
    I know that i must ajust ldap acl's. How can i do this with ldapmodify, or is there any opportunities do this without ldap modify?

  2. #2
    ccelis5215 is offline Elite Member
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    442
    Rep Power
    3

    Default

    Quote Originally Posted by m0ps View Post
    Hi all!
    I want to use Zimbra's ldap for auth on all our services, but for security purposes i don't want to use uid=zimbra,cn=admins,cn=zimbra account as bind-dn. I want to create a regular ZCS user and give it read access to common attributes and to zimbraAccountStatus attribute (i want to use it in ldap filter to check is account closed or not).
    I know that i must ajust ldap acl's. How can i do this with ldapmodify, or is there any opportunities do this without ldap modify?
    Hello m0ps,


    Unless you know exactly what you need, i strongly advice to not change Zimbra LDAP.

    There's a few reasons, say at least, to follow this advice.

    However, you can adjust your LDAP queryes using a regular Zimbra user to detect if account exists or not.

    ccelis.

  3. #3
    m0ps is offline Junior Member
    Join Date
    Nov 2012
    Location
    Chernigov (Ukraine)
    Posts
    9
    Rep Power
    2

    Default

    Hi ccelis. Thanks for your reply.
    Quote Originally Posted by ccelis5215 View Post
    Unless you know exactly what you need, i strongly advice to not change Zimbra LDAP.
    I know what i want to do. I need grant read access to zimbraAccountStatus ldap atribute for some ZCS users.

    Quote Originally Posted by ccelis5215 View Post
    However, you can adjust your LDAP queryes using a regular Zimbra user to detect if account exists or not.
    But user may be at "closed" state, and if I use regular Zimbra user as bind-dn I can't determine this, because it cant access to zimbraAccountStatus ldap attribute.

  4. #4
    m0ps is offline Junior Member
    Join Date
    Nov 2012
    Location
    Chernigov (Ukraine)
    Posts
    9
    Rep Power
    2

    Arrow Sollution

    Finally i found a solution:
    I create zcs-acl.ldif with next content
    Code:
    dn: olcDatabase={2}mdb,cn=config
    changetype: Modify
    add: olcAccess
    olcAccess: to attrs=zimbraAccountStatus by dn.base="uid=binduser,ou=people,dc=domain,dc=com" read
    and import it to ldap via
    Code:
    /opt/zimbra/openldap/bin/ldapmodify -D cn=config -W -x -H ldapi:/// -f /tmp/zcs-acl.ldif
    Now I can check is ACL is applied via:
    Code:
    sudo /opt/zimbra/openldap/sbin/slapacl -b "uid=user,ou=people,dc=domain,dc=com" -D "uid=binduser,ou=people,dc=domain,dc=com" "zimbraAccountStatus/read" -F /opt/zimbra/data/ldap/config/
    After minor update from 8.0.2 to 8.0.3 all is ok. But now before each update ACL checks is needed. If in new version there is more than 10 ACLs (in 8.0.3 it is 10) it's necessary remove custom ACL (number 11) and add it again after the update. Current ACLs can be checked in file /opt/zimbra/data/ldap/config/cn=config/olcDatabase={2}mdb.ldif

  5. #5
    ccelis5215 is offline Elite Member
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    442
    Rep Power
    3

    Default

    Quote Originally Posted by m0ps View Post
    Finally i found a solution:
    I create zcs-acl.ldif with next content
    Code:
    dn: olcDatabase={2}mdb,cn=config
    changetype: Modify
    add: olcAccess
    olcAccess: to attrs=zimbraAccountStatus by dn.base="uid=binduser,ou=people,dc=domain,dc=com" read
    and import it to ldap via
    Code:
    /opt/zimbra/openldap/bin/ldapmodify -D cn=config -W -x -H ldapi:/// -f /tmp/zcs-acl.ldif
    Now I can check is ACL is applied via:
    Code:
    sudo /opt/zimbra/openldap/sbin/slapacl -b "uid=user,ou=people,dc=domain,dc=com" -D "uid=binduser,ou=people,dc=domain,dc=com" "zimbraAccountStatus/read" -F /opt/zimbra/data/ldap/config/
    After minor update from 8.0.2 to 8.0.3 all is ok. But now before each update ACL checks is needed. If in new version there is more than 10 ACLs (in 8.0.3 it is 10) it's necessary remove custom ACL (number 11) and add it again after the update. Current ACLs can be checked in file /opt/zimbra/data/ldap/config/cn=config/olcDatabase={2}mdb.ldif
    Good, thanks for sharing!

    ccelis

  6. #6
    m0ps is offline Junior Member
    Join Date
    Nov 2012
    Location
    Chernigov (Ukraine)
    Posts
    9
    Rep Power
    2

    Default

    I found a problem when using proposed modifications. After applying ACL user uid=zimbra,cn=admins,cn=zimbra loses access to this attributes. To get around this problem, use the following ACL:
    Code:
    dn: olcDatabase={2}mdb,cn=config
    changetype: Modify
    add: olcAccess
    olcAccess: to attrs=zimbraAccountStatus by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=binduser,ou=people,dc=domain,dc=com" read

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. modify zimbraAccountStatus via SOAP
    By Cam in forum Developers
    Replies: 0
    Last Post: 08-09-2012, 09:30 AM
  2. zimbraSambaPassword Extension - LDAP Atribute Name
    By ropana in forum Administrators
    Replies: 3
    Last Post: 01-07-2010, 12:26 AM
  3. Replies: 0
    Last Post: 03-27-2009, 05:42 PM
  4. Open source version + regular MS Outlook access (IMAP)
    By midair77 in forum Installation
    Replies: 1
    Last Post: 07-07-2007, 05:31 PM
  5. zimbraAccountStatus
    By tron in forum Developers
    Replies: 1
    Last Post: 01-24-2006, 12:50 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •