Configuring ACLs in openLDAP server
Configuring ACLs in openLDAP server
Adding ACLs
To add ACLs create a ACL configuration file named '/etc/openldap/slapd.acl' and modify 'slapd.conf' so that it has
include /etc/openldap/slapd.acl
The above line can be added before "database bdb" line.
Restricting access to attribute
For attributes such as userPassword, it may be desired that only the user (and root user) can see the attribute value. Also it may be desired to allow the user to change only his/her userPassword. To achieve this add following lines in 'slapd.acl' file:
access to attrs=userPassword by self write by anonymous auth by * none
Disabling anonymous access
To force anonymous users to authenticate for being able to read any attribute of any user, following ACL can be used
access to * by self write by anonymous auth by * read
Please note that in this case a user "A" would be able to read all attributes of user "B" or of any other entry in directory after he/she is authenticated. For authentication user should specify his/her dn with '-D' option and password with -W or -w. The password should be specified while adding user using 'userPassword' attribute. As a security measure the value of 'userPassword' field is not shown as it is while using ldapsearch even for root user.
A sample entry with userPassword is
dn: cn=Guruprasad,ou=People,dc=sbarjatiya,dc=com objectClass: inetOrgPerson #Must due to person cn: Guruprasad #Must due to person sn: J uid: guruprasad.j mail: guruprasad.j@iiit.ac.in ou: people userPassword: pqr123
http://www.openldap.org/doc/admin24/access-control.html has considerable details on ACLs. Refer to the link for learning sets which can handle recursive groups for ACLs. OpenLDAP ACLs can also be based on IP address with the help of peername option. This is also described at given URL.