Join Log in
Score:0
Arne Fallisch avatar Server

OpenLDAP Access handling

in flag
Arne Fallisch

I have installed OpenLDAP on Ubuntu Server 20.04. It works fine so far. Now I want to restrict access to the server, as by now anyone can read all entries e.g. in Thunderbird. Therefore I created a ldif file like this:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword
  by self write
  by anonymous auth
  by * none
olcAccess: to attrs=shadowLastChange
  by self write
  by * read
olcAccess: to * by * read

which is the standard configuration. Anyhow if I change the last entry to something else, e.g.

olcAccess: to * by users read

I cannot access LDAP in Thunderbird anymore. What I want is that Thunderbird asks for a username and password before it shows anything. In Thunderbird there are 5 fields to set:

Name              Any Name for the LDAP
Server address    DNS address
Base-DN           e.g. dc=example,dc=org   
Port-Number       636 
Bind-DN           ??

If i put nothing in the Bind-DN, Thunderbird does not ask for anything but also does not show anything. If I put my username or userid in it, it ask for a password but nothing is shown again.

I got two question:

  • How should the ldif look like?
  • What has to be put into Thunderbird?
32
0 + 0
Score:2
user1686 avatar Server
fr flag
user1686

"Bind DN" is the name of a directory entry used in the login (bind) operation. In LDAP, there are no separate user IDs – instead your entries themselves are the LDAP accounts.

For example, cn=Arne Fallisch,ou=Staff,dc=example,dc=org would be your "Bind DN" (assuming it exists, of course), and the entry's userPassword attribute would be your password.

(The attribute can contain a hashed password; the slappasswd command can be used to generate a compatible password hash, or ldappasswd can be used to change the password online.)

Any entry regardless of its objectClass can be used for binding to the directory, as long as it has the userPassword attribute – this includes 'person', 'inetOrgPerson', 'posixAccount' and a few others.

Note that OpenLDAP ACLs work in "stealth" mode by default – that is, instead of saying "Access denied", the server pretends the unavailable entries don't exist at all. When protecting a whole server you probably would prefer it to just return an "Authentication is needed" error instead – to achieve this, define olcRequires: bind authc in your olcDatabase entry (but not in the global config entry; doing so would break things like StartTLS and SASL authentication).

0 + 0
Arne Fallisch avatar
in flag
Arne Fallisch
First of all thank you for your help. I set up an ldif file with: dn: olcDatabase={1}mdb,cn=config add: olcRequires olcRequires: authc An then put the bindDN to: cn=Arne Fallisch,ou=people,dc=example,dc=org Then a password query appears but when I enter the password it pops up again or nothing happens. I also tried with uid=afallisch but it also does not work. Interestingly I also use a NextCloud Server where the the connection works perfectly.
0
Reply
Arne Fallisch avatar
in flag
Arne Fallisch
Forgot the "read" in the ldif file, no it works
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.