Difference between revisions of "Configuring ACLs in openLDAP server"
m |
m |
||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring ACLs in openLDAP server|ACLs]] | |||
=Adding ACLs= | |||
To add ACLs create a ACL configuration file named '<tt>/etc/openldap/slapd.acl' and modify '<tt>slapd.conf</tt>' so that it has | To add ACLs create a ACL configuration file named '<tt>/etc/openldap/slapd.acl</tt>' and modify '<tt>slapd.conf</tt>' so that it has | ||
<pre> | <pre> | ||
include /etc/openldap/slapd.acl | include /etc/openldap/slapd.acl | ||
Line 10: | Line 10: | ||
==Restricting access to attribute== | |||
For attributes such as userPassword, it may be desired that only the user (and root user) can see the attribute value. Also it may be desired to allow the user to change only his/her userPassword. To achieve this add following lines in '<tt>slapd.acl</tt>' file: | For attributes such as userPassword, it may be desired that only the user (and root user) can see the attribute value. Also it may be desired to allow the user to change only his/her userPassword. To achieve this add following lines in '<tt>slapd.acl</tt>' file: | ||
Line 22: | Line 22: | ||
==Disabling anonymous access== | |||
To force anonymous users to authenticate for being able to read any attribute of any user, following ACL can be used | To force anonymous users to authenticate for being able to read any attribute of any user, following ACL can be used | ||
Line 38: | Line 38: | ||
objectClass: inetOrgPerson | objectClass: inetOrgPerson | ||
#Must due to person | #Must due to person | ||
cn: | cn: User1 | ||
#Must due to person | #Must due to person | ||
sn: J | sn: J | ||
uid: | uid: user1.j | ||
mail: | mail: user1.j@example.com | ||
ou: people | ou: people | ||
userPassword: pqr123 | userPassword: pqr123 | ||
Line 52: | Line 52: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring ACLs in openLDAP server|ACLs]] |
Latest revision as of 15:08, 13 March 2022
Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > ACLs
Adding ACLs
To add ACLs create a ACL configuration file named '/etc/openldap/slapd.acl' and modify 'slapd.conf' so that it has
include /etc/openldap/slapd.acl
The above line can be added before "database bdb" line.
Restricting access to attribute
For attributes such as userPassword, it may be desired that only the user (and root user) can see the attribute value. Also it may be desired to allow the user to change only his/her userPassword. To achieve this add following lines in 'slapd.acl' file:
access to attrs=userPassword by self write by anonymous auth by * none
Disabling anonymous access
To force anonymous users to authenticate for being able to read any attribute of any user, following ACL can be used
access to * by self write by anonymous auth by * read
Please note that in this case a user "A" would be able to read all attributes of user "B" or of any other entry in directory after he/she is authenticated. For authentication user should specify his/her dn with '-D' option and password with -W or -w. The password should be specified while adding user using 'userPassword' attribute. As a security measure the value of 'userPassword' field is not shown as it is while using ldapsearch even for root user.
A sample entry with userPassword is
dn: cn=Guruprasad,ou=People,dc=sbarjatiya,dc=com objectClass: inetOrgPerson #Must due to person cn: User1 #Must due to person sn: J uid: user1.j mail: user1.j@example.com ou: people userPassword: pqr123
http://www.openldap.org/doc/admin24/access-control.html has considerable details on ACLs. Refer to the link for learning sets which can handle recursive groups for ACLs. OpenLDAP ACLs can also be based on IP address with the help of peername option. This is also described at given URL.
Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > ACLs