LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page access control policy in slapd.conf
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 05-05-2009, 06:57 AM   #1
niraj.kumar
LQ Newbie
 
Registered: Nov 2008
Posts: 27

Rep: Reputation: 15
access control policy in slapd.conf

How can i set access control policy in smbopenldap's slapd.conf file
so that a user login using myphpldapadim only can see his own property, not others. I have tried the following in slapd.conf file :-

access to dn.base="cn=Manager,dc=mydomain,dc=com"
by self write
by self read

when using the above parameter, user login using phpmyldapadmin
but can see others users property also(unable to write others).

it is possible that he can only read and write his own not to others?

Thanks,

Niraj Kumar.
 
Old 05-05-2009, 01:04 PM   #2
archangel_617b
Member
 
Registered: Sep 2003
Location: GMT -08:00
Distribution: Kubuntu, RHEL/CentOS
Posts: 233

Rep: Reputation: 42
I have an ACL in my slapd.conf that looks like this:

Code:
# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=dl,dc=example,dc=com" write
        by * read
Changing the line "by * read" to "by * none" should help. You may be better of just restricting specific attributes instead, however, or else making sure that you've got some account that can be used for read-only access to everything.

For restricting specific attributes, look at your access list for the password field:

Code:
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=dl,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none
And for a read-only user, it should look something like this:

Code:
# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=dl,dc=example,dc=com" write
        by dn="cn=readonly,dc=dl,dc=example,dc=com" read
        by * none
- Arch
 
Old 05-05-2009, 01:08 PM   #3
archangel_617b
Member
 
Registered: Sep 2003
Location: GMT -08:00
Distribution: Kubuntu, RHEL/CentOS
Posts: 233

Rep: Reputation: 42
Quote:
Originally Posted by niraj.kumar View Post
Code:
 access to dn.base="cn=Manager,dc=mydomain,dc=com"
        by self write
        by self read
But maybe just adding "by * none" and the end of that ACL will do what you want?

Sorry, I'm not exactly an expert in building ACLs for slapd but I hope this helps.

- Arch
 
Old 05-06-2009, 06:58 AM   #4
niraj.kumar
LQ Newbie
 
Registered: Nov 2008
Posts: 27

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by archangel_617b View Post
I have an ACL in my slapd.conf that looks like this:

Code:
# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=dl,dc=example,dc=com" write
        by * read
Changing the line "by * read" to "by * none" should help. You may be better of just restricting specific attributes instead, however, or else making sure that you've got some account that can be used for read-only access to everything.

For restricting specific attributes, look at your access list for the password field:

Code:
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=dl,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none
And for a read-only user, it should look something like this:

Code:
# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=dl,dc=example,dc=com" write
        by dn="cn=readonly,dc=dl,dc=example,dc=com" read
        by * none
- Arch
Many Many Thanks for your nice reply.

Niraj
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenLDAP error... can't find slapd.conf that Linux guy Linux - Server 7 10-17-2011 07:46 AM
access control lists in squid.conf zebias Linux - Newbie 3 11-08-2007 11:45 AM
Need to modify chmod & mv to make use of a time-based access control policy avaleriu Programming 3 11-03-2006 09:26 AM
openldap replication master/slave slapd.conf paul_mat Linux - Networking 1 11-30-2005 01:54 PM
Httpd.conf for access control BillyB Linux - Newbie 1 02-26-2005 01:23 PM


All times are GMT -5. The time now is 12:13 AM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration