Difference between revisions of "Configuring ACLs in openLDAP server"

From Notes_Wiki
(Created page with "=Configuring ACLs in openLDAP server= ==Adding ACLs== To add ACLs create a ACL configuration file named '<tt>/etc/openldap/slapd.acl' and modify '<tt>slapd.conf</tt>' so tha...")
 
m
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Configuring ACLs in openLDAP server=
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring ACLs in openLDAP server|ACLs]]


==Adding ACLs==
=Adding ACLs=


To add ACLs create a ACL configuration file named '<tt>/etc/openldap/slapd.acl' and modify '<tt>slapd.conf</tt>' so that it has
To add ACLs create a ACL configuration file named '<tt>/etc/openldap/slapd.acl</tt>' and modify '<tt>slapd.conf</tt>' so that it has
<pre>
<pre>
include /etc/openldap/slapd.acl
include /etc/openldap/slapd.acl
Line 10: Line 10:




===Restricting access to attribute===
==Restricting access to attribute==


For attributes such as userPassword, it may be desired that only the user (and root user) can see the attribute value. Also it may be desired to allow the user to change only his/her userPassword. To achieve this add following lines in '<tt>slapd.acl</tt>' file:
For attributes such as userPassword, it may be desired that only the user (and root user) can see the attribute value. Also it may be desired to allow the user to change only his/her userPassword. To achieve this add following lines in '<tt>slapd.acl</tt>' file:
Line 22: Line 22:




===Disabling anonymous access===
==Disabling anonymous access==


To force anonymous users to authenticate for being able to read any attribute of any user, following ACL can be used
To force anonymous users to authenticate for being able to read any attribute of any user, following ACL can be used
Line 38: Line 38:
objectClass: inetOrgPerson
objectClass: inetOrgPerson
#Must due to person
#Must due to person
cn: Guruprasad
cn: User1
#Must due to person
#Must due to person
sn: J
sn: J
uid: guruprasad.j
uid: user1.j
mail: guruprasad.j@iiit.ac.in
mail: user1.j@example.com
ou: people
ou: people
userPassword: pqr123
userPassword: pqr123
Line 49: Line 49:


http://www.openldap.org/doc/admin24/access-control.html has considerable details on ACLs. Refer to the link for learning sets which can handle recursive groups for ACLs. OpenLDAP ACLs can also be based on IP address with the help of peername option. This is also described at given URL.
http://www.openldap.org/doc/admin24/access-control.html has considerable details on ACLs. Refer to the link for learning sets which can handle recursive groups for ACLs. OpenLDAP ACLs can also be based on IP address with the help of peername option. This is also described at given URL.
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring ACLs in openLDAP server|ACLs]]

Latest revision as of 15:08, 13 March 2022

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > ACLs

Adding ACLs

To add ACLs create a ACL configuration file named '/etc/openldap/slapd.acl' and modify 'slapd.conf' so that it has

include		/etc/openldap/slapd.acl

The above line can be added before "database bdb" line.


Restricting access to attribute

For attributes such as userPassword, it may be desired that only the user (and root user) can see the attribute value. Also it may be desired to allow the user to change only his/her userPassword. To achieve this add following lines in 'slapd.acl' file:

access to attrs=userPassword
      by self     write 
      by anonymous auth
      by  *       none


Disabling anonymous access

To force anonymous users to authenticate for being able to read any attribute of any user, following ACL can be used

access to *
      by self       write
      by anonymous  auth
      by *          read 

Please note that in this case a user "A" would be able to read all attributes of user "B" or of any other entry in directory after he/she is authenticated. For authentication user should specify his/her dn with '-D' option and password with -W or -w. The password should be specified while adding user using 'userPassword' attribute. As a security measure the value of 'userPassword' field is not shown as it is while using ldapsearch even for root user.

A sample entry with userPassword is

dn: cn=Guruprasad,ou=People,dc=sbarjatiya,dc=com
objectClass: inetOrgPerson
#Must due to person
cn: User1
#Must due to person
sn: J
uid: user1.j
mail: user1.j@example.com
ou: people
userPassword: pqr123


http://www.openldap.org/doc/admin24/access-control.html has considerable details on ACLs. Refer to the link for learning sets which can handle recursive groups for ACLs. OpenLDAP ACLs can also be based on IP address with the help of peername option. This is also described at given URL.



Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > ACLs