[midPoint] Disable OpenLDAP Users on MidPoint

Oleksandr Nekriach o.nekriach at dynatech.lv
Wed Nov 28 09:45:26 CET 2018 

Hi, Jan
First of all, you should be sure that you don't use Unix password for
authentication. Try to change user password by passwd command and check
that this password did not sync to LDAP.
Also please pay attention that in my case break statement in ACL for
unknown reason does not stop search through ACL rules.

Best regards, Oleksandr

On Wed, 28 Nov 2018 at 09:26, Parttimaa Jan <
jan.parttimaa at myy.haaga-helia.fi> wrote:

> Hi,
>
>
> Here is our complete ACI. We make our OpenLDAP installation and
> configuration following this wiki article
> <https://wiki.evolveum.com/display/midPoint/OpenLDAP+Installation+and+Configuration>
> :
>
>
> dn: olcDatabase={1}mdb,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: to attrs=userPassword
> dn.subtree="ou=people,dc=ldap,dc=pisnismiehet,dc=local"
> filter="(midPointAccountStatus=disabled)" by
> dn.subtree="ou=unixgroups,dc=ldap,dc=pisnismiehet,dc=local" none by
> anonymous none by * break
> olcAccess: to attrs=userPassword,shadowLastChange by
> dn="cn=idm,ou=Administrators,dc=ldap,dc=pisnismiehet,dc=local" write by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by
> anonymous auth by self write by * none
> olcAccess: to dn.base="" by * read
> olcAccess: to dn.subtree="ou=people,dc=ldap,dc=pisnismiehet,dc=local" by
> dn="cn=idm,ou=Administrators,dc=ldap,dc=pisnismiehet,dc=local" write
> olcAccess: to dn.subtree="ou=groups,dc=ldap,dc=pisnismiehet,dc=local" by
> dn="cn=idm,ou=Administrators,dc=ldap,dc=pisnismiehet,dc=local" write
> olcAccess: to dn.subtree="ou=unixgroups,dc=ldap,dc=pisnismiehet,dc=local"
> by dn="cn=idm,ou=Administrators,dc=ldap,dc=pisnismiehet,dc=local" write
> olcAccess: to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by
> dn="cn=idm,ou=Administrators,dc=ldap,dc=pisnismiehet,dc=local" read by self
> read by * none
>
> We add the yellow line above according to this
> <https://github.com/Evolveum/midpoint/blob/master/samples/resources/openldap/olcAccess.ldif> but
> no luck. Disabled users on MidPoint can still login to Linux Server and
> Desktop via OpenLDAP. We added midpoint.schema to our OpenLDAP
> successfully.
>
>
> Is that yellow line correct? Should I add or modify something else?
>
>
> Best Regards,
>
> Jan Parttimaa
>
>
>
>
> *Jan Parttimaa*
>
> *1602738,*
>
> *Tietojenkäsittelyn koulutusohjelma,*
>
> *Haaga-Helia ammattikorkeakoulu, Pasilan kampus*
>
>
> ------------------------------
> *Lähettäjä:* midPoint <midpoint-bounces at lists.evolveum.com> käyttäjän
> Parttimaa Jan <jan.parttimaa at myy.haaga-helia.fi> puolesta
> *Lähetetty:* tiistai 27. marraskuuta 2018 8.45
> *Vastaanottaja:* gustav.palos at evolveum.com; midPoint General Discussion
> *Aihe:* Re: [midPoint] Disable OpenLDAP Users on MidPoint
>
>
> Hi,
>
>
>
> I checked that and I add this to aci.ldif but no luck:
>
>
>
> olcAccess: to attrs=userPassword
> dn.subtree="ou=people,dc=ldap,dc=pisnismiehet,dc=local"
> filter="(midPointAccountStatus=disabled)" by
> dn.subtree="ou=unixgroups,dc=ldap,dc=pisnismiehet,dc=local" none by
> anonymous none by * break
>
>
>
> Disabled user can still login to Linux via OpenLDAP.
>
>
>
> We did OpenLDAP installation and configuration following this wiki article
> <https://wiki.evolveum.com/display/midPoint/OpenLDAP+Installation+and+Configuration>
> .
>
>
>
> Not sure is that ACI row above correct or not.
>
>
>
> Best Regards,
>
> Jan Parttimaa
>
>
>
> *Jan Parttimaa*
>
> *1602738,*
>
> *Tietojenkäsittelyn koulutusohjelma,*
>
> *Haaga-Helia ammattikorkeakoulu, Pasilan kampus*
>
>
>
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of *Pálos
> Gustáv
> *Sent:* maanantai 26. marraskuuta 2018 22.55
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Disable OpenLDAP Users on MidPoint
>
>
>
> Hi Jan,
>
>
>
> please see:
>
>
> https://wiki.evolveum.com/display/midPoint/Recommended+OpenLDAP+Structure#RecommendedOpenLDAPStructure-AccountDisableMechanism
>
>
>
> Best regards,
>
>
>
> Gustav
>
>
>
> po 26. 11. 2018 o 19:57 Parttimaa Jan <jan.parttimaa at myy.haaga-helia.fi>
> napísal(a):
>
> Hi,
>
>
>
> I read that disable OpenLDAP users in MidPoint can be pain in a ass. How
> do you disable OpenLDAP users in MidPoint? Any tips and tricks about this?
>
>
>
> Best Regards,
>
> Jan Parttimaa
>
>
>
> *Jan Parttimaa*
>
> *1602738,*
>
> *Tietojenkäsittelyn koulutusohjelma,*
>
> *Haaga-Helia ammattikorkeakoulu, Pasilan kampus*
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
>
> Gustáv Pálos
>
> Identity Engineer
>
> evolveum.com
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 
Best regards,



Oleksandr Nekriach | Identity and access management engineer

Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
<https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122>

+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv


Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>


Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181128/099e4d1b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181128/099e4d1b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181128/099e4d1b/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181128/099e4d1b/attachment-0002.png>

More information about the midPoint mailing list