Hello all,
I have been trying as of late to secure my OpenLDAP directory and I have seem to run into a wall. I am trying to restrict access to certain attributes for my user entries located in ou=people,dc=example,dc=com so that only my binddn can access them. Here is a list of my current ACLs:
access to dn="cn=binddn,ou=system,ou=services,dc=example,dc=com attrs=userPassword by * auth
access to dn.regex="uid=.*,ou=people,dc=example,dc=com" attrs=uid,uidNumber,loginShell by dn="cn=binddn,ou=system,ou=services,dc=example,dc=com" read by * none
It seems I can get the rule to match without the "attrs" argument however as soon as I add that to the ACL entry I get denied access to the previously listed attributes for users in ou=people. If it helps any I am using the OpenLDAP-servers 2.3.43 CentOS RPM.
Thanks again,
Dan
-----Original Message----- From: openldap-software-bounces+dburklan=nmdp.org@OpenLDAP.org [mailto:openldap-software-bounces+dburklan=nmdp.org@OpenLDAP.org] On Behalf Of Dan Burkland Sent: Friday, May 14, 2010 12:43 PM To: openldap-software@openldap.org Subject: OpenLDAP 2.3 Access Lists
Hello all,
I have been trying as of late to secure my OpenLDAP directory and I have seem to run into a wall. I am trying to restrict access to certain attributes for my user entries located in ou=people,dc=example,dc=com so that only my binddn can access them. Here is a list of my current ACLs:
access to dn="cn=binddn,ou=system,ou=services,dc=example,dc=com attrs=userPassword by * auth
access to dn.regex="uid=.*,ou=people,dc=example,dc=com" attrs=uid,uidNumber,loginShell by dn="cn=binddn,ou=system,ou=services,dc=example,dc=com" read by * none
It seems I can get the rule to match without the "attrs" argument however as soon as I add that to the ACL entry I get denied access to the previously listed attributes for users in ou=people. If it helps any I am using the OpenLDAP-servers 2.3.43 CentOS RPM.
Thanks again,
Dan ---------------------------------------------------------------------------
I was finally able to resolve my issue by replacing "none" with "break" in all of the user account entries.
Dan
openldap-software@openldap.org