Configuring ACLs in openLDAP server

From Notes_Wiki

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > ACLs

Adding ACLs

To add ACLs create a ACL configuration file named '/etc/openldap/slapd.acl' and modify 'slapd.conf' so that it has

include		/etc/openldap/slapd.acl

The above line can be added before "database bdb" line.


Restricting access to attribute

For attributes such as userPassword, it may be desired that only the user (and root user) can see the attribute value. Also it may be desired to allow the user to change only his/her userPassword. To achieve this add following lines in 'slapd.acl' file:

access to attrs=userPassword
      by self     write 
      by anonymous auth
      by  *       none


Disabling anonymous access

To force anonymous users to authenticate for being able to read any attribute of any user, following ACL can be used

access to *
      by self       write
      by anonymous  auth
      by *          read 

Please note that in this case a user "A" would be able to read all attributes of user "B" or of any other entry in directory after he/she is authenticated. For authentication user should specify his/her dn with '-D' option and password with -W or -w. The password should be specified while adding user using 'userPassword' attribute. As a security measure the value of 'userPassword' field is not shown as it is while using ldapsearch even for root user.

A sample entry with userPassword is

dn: cn=Guruprasad,ou=People,dc=sbarjatiya,dc=com
objectClass: inetOrgPerson
#Must due to person
cn: User1
#Must due to person
sn: J
uid: user1.j
mail: user1.j@example.com
ou: people
userPassword: pqr123


http://www.openldap.org/doc/admin24/access-control.html has considerable details on ACLs. Refer to the link for learning sets which can handle recursive groups for ACLs. OpenLDAP ACLs can also be based on IP address with the help of peername option. This is also described at given URL.



Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > ACLs