[midPoint] Disable OpenLDAP Users on MidPoint

Parttimaa Jan jan.parttimaa at myy.haaga-helia.fi
Wed Nov 28 08:22:07 CET 2018 

Hi,


Here is our complete ACI. We make our OpenLDAP installation and configuration following this wiki article<https://wiki.evolveum.com/display/midPoint/OpenLDAP+Installation+and+Configuration>:


dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword dn.subtree="ou=people,dc=ldap,dc=pisnismiehet,dc=local" filter="(midPointAccountStatus=disabled)" by dn.subtree="ou=unixgroups,dc=ldap,dc=pisnismiehet,dc=local" none by anonymous none by * break
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=idm,ou=Administrators,dc=ldap,dc=pisnismiehet,dc=local" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to dn.subtree="ou=people,dc=ldap,dc=pisnismiehet,dc=local" by dn="cn=idm,ou=Administrators,dc=ldap,dc=pisnismiehet,dc=local" write
olcAccess: to dn.subtree="ou=groups,dc=ldap,dc=pisnismiehet,dc=local" by dn="cn=idm,ou=Administrators,dc=ldap,dc=pisnismiehet,dc=local" write
olcAccess: to dn.subtree="ou=unixgroups,dc=ldap,dc=pisnismiehet,dc=local" by dn="cn=idm,ou=Administrators,dc=ldap,dc=pisnismiehet,dc=local" write
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="cn=idm,ou=Administrators,dc=ldap,dc=pisnismiehet,dc=local" read by self read by * none

We add the yellow line above according to this<https://github.com/Evolveum/midpoint/blob/master/samples/resources/openldap/olcAccess.ldif> but no luck. Disabled users on MidPoint can still login to Linux Server and Desktop via OpenLDAP. We added midpoint.schema to our OpenLDAP successfully.


Is that yellow line correct? Should I add or modify something else?


Best Regards,

Jan Parttimaa




Jan Parttimaa

1602738,

Tietojenkäsittelyn koulutusohjelma,

Haaga-Helia ammattikorkeakoulu, Pasilan kampus


________________________________
Lähettäjä: midPoint <midpoint-bounces at lists.evolveum.com> käyttäjän Parttimaa Jan <jan.parttimaa at myy.haaga-helia.fi> puolesta
Lähetetty: tiistai 27. marraskuuta 2018 8.45
Vastaanottaja: gustav.palos at evolveum.com; midPoint General Discussion
Aihe: Re: [midPoint] Disable OpenLDAP Users on MidPoint


Hi,



I checked that and I add this to aci.ldif but no luck:



olcAccess: to attrs=userPassword dn.subtree="ou=people,dc=ldap,dc=pisnismiehet,dc=local" filter="(midPointAccountStatus=disabled)" by dn.subtree="ou=unixgroups,dc=ldap,dc=pisnismiehet,dc=local" none by anonymous none by * break



Disabled user can still login to Linux via OpenLDAP.



We did OpenLDAP installation and configuration following this wiki article<https://wiki.evolveum.com/display/midPoint/OpenLDAP+Installation+and+Configuration>.



Not sure is that ACI row above correct or not.



Best Regards,

Jan Parttimaa



Jan Parttimaa

1602738,

Tietojenkäsittelyn koulutusohjelma,

Haaga-Helia ammattikorkeakoulu, Pasilan kampus



From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Pálos Gustáv
Sent: maanantai 26. marraskuuta 2018 22.55
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Disable OpenLDAP Users on MidPoint



Hi Jan,



please see:

https://wiki.evolveum.com/display/midPoint/Recommended+OpenLDAP+Structure#RecommendedOpenLDAPStructure-AccountDisableMechanism



Best regards,



Gustav



po 26. 11. 2018 o 19:57 Parttimaa Jan <jan.parttimaa at myy.haaga-helia.fi<mailto:jan.parttimaa at myy.haaga-helia.fi>> napísal(a):

Hi,



I read that disable OpenLDAP users in MidPoint can be pain in a ass. How do you disable OpenLDAP users in MidPoint? Any tips and tricks about this?



Best Regards,

Jan Parttimaa



Jan Parttimaa

1602738,

Tietojenkäsittelyn koulutusohjelma,

Haaga-Helia ammattikorkeakoulu, Pasilan kampus



_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint




--

Gustáv Pálos

Identity Engineer

evolveum.com<http://evolveum.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181128/9de4b443/attachment.htm>

More information about the midPoint mailing list