OpenLDAP Group Owners
LDAP is common in most organizations and its groups are often used to limit access to different services. However having people from the Operations team managing group members does not scale in a bigger organizations. A solution could be to add more administrators but that isn’t very secure in the long run, it’s better to delegate group administration the members or specific group administrators. This is were the OpenLDAP Access Control come in handy, the documentation take some time to get around so that’s why I’m giving some examples on how to manage group membership in OpenLDAP
Let’s look at the necessary ACL allowing members in a posixGroup to add/remove other members in that group. I recommend using
ldapvi to manage
cn=config which holds the database configuration.
sudo ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config will take you to the configuration and ACLs are usually located under
The following line allow
memberUid attributes to be changed for entries under
ou=Groups,dc=jhaals,dc=se by users included in that group.
olcAccess: to dn.sub="ou=Groups,dc=jhaals,dc=se" attrs=memberUid by set="this/memberUid & user/uid" write by * read
Please note that the ordering of the olcAccess entries is important as well as your previous ACLs. If your having problems it might help changing the ordering of the olcAccess entries. It’s done by changing the id number inside the curly braces
There are situations where you don’t want to allow modifications by every group member but rather specific “group owners”. There are unfortunately no owner attribute in a regular posixGroup and the
groupofuniquenames objectClass cannot be combined with a posixGroup.
My solution is a custom schema where the posixGroup can be extended with
objectClass: owner that allows multiple
cn=ops,ou=Groups,dc=jhaals,dc=se gidNumber: 20001 cn: ops memberUid: jhaals memberUid: stefan memberUid: nils ownerUid: jhaals objectClass: owner objectClass: posixGroup objectClass: top
owner.ldif required for the functionality
dn: cn=owner,cn=schema,cn=config changetype: add objectClass: olcSchemaConfig cn: owner olcAttributeTypes: ( 22.214.171.124.4.1.24552.501.1.1.1.13 NAME 'ownerUid' DESC 'MANDATORY: Group Owner' EQUALITY octetStringMatch SYNTAX 126.96.36.199.4.1.14188.8.131.52.40 ) olcObjectClasses: ( 184.108.40.206.4.1.24552.501.1.1.2.0 NAME 'owner' DESC 'MANDATORY: Group owner objectclass' SUP top AUXILIARY MAY ( ownerUid $ cn ) )
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f owner.ldif
olcAccess: to dn.sub="ou=Groups,dc=jhaals,dc=se" attrs=memberUid,ownerUid by set="this/ownerUid & user/uid" write by * read
Group owners can now change the memberUid and the ownerUid attributes for a group where they are added as owners.
Teach your users how to use ldapvi(
ldapvi -D "cn=jhaals,ou=Users,dc=jhaals,dc=se" --discover) and let them bind as themself or preferebly write a shiny interface to manage users.
Group administration can now be delegated! \o/