All,
I am inheriting the support of small openldap deployment and I am new to it. I have a request to create a security group to this implementation and only users in this group should have access to manage objects in the ldap.
We have something like this:
+-dc=nocinbox,dc=com +---ou=groups +---cn=admin +---cn=app-admin +---cn=sec-admin +---ou=users +---cn=admin +---cn=appadmin +---cn=appadmin2 +---cn=secadmin
In the olcDatabase configuration I have the following:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to dn.subtree="dc=nocinbox,dc=inc" by set="[cn=sec-admin,ou=groups,dc=nocinbox,dc=inc]/memberUid & user/uid" write by * read
And only secadmin can make changes in the LDAP, that is great.
However, all other users can ldapsearch:
$ ldapsearch -x -v -H ldaps://openldap:636 -b "dc=nocinbox,dc=inc" -D "cn=admin,ou=users,dc=nocinbox,dc=inc" -W | grep numResponses ldap_initialize( ldaps://openldap:636/??base ) Enter LDAP Password: filter: (objectclass=*) requesting: All userApplication attributes # numResponses: 29
Is there any olcAccess configuration I can used to not allow any user to run ldapsearch but still able to authenticate them? They still need to ssh and access some web servers.
Thank you very much,
Gerson