On Fri, Dec 2, 2011 at 12:19 PM, Jayavant Patil jayavant.patil82@gmail.comwrote:
On Thu, Dec 1, 2011 at 7:12 PM, Jayavant Patil <jayavant.patil82@gmail.com
wrote:
On Wed, 30 Nov 2011 14:18:00 +0100 Raffael Sahli < public@raffaelsahli.com> wrote:
On 11/30/2011 01:48 PM, Jayavant Patil wrote:
On 11/30/2011 08:01 AM, Jayavant Patil wrote:
On Tue, Nov 29, 2011 at 6:26 PM, Jayavant Patil <jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com
<mailto:jayavant.patil82@gmail.com
mailto:jayavant.patil82@gmail.com>> wrote:
>Mon, 28 Nov 2011 11:25:16 +0100 Raffael Sahli
<public@raffaelsahli.com mailto:public@raffaelsahli.com
<mailto:public@raffaelsahli.com mailto:public@raffaelsahli.com>>
wrote:
>Hi
>I think you mean SSL connection or the STARTTLS Layer...? >Please read the manual
http://www.openldap.org/doc/admin24/tls.html
Ok.
>And tree security: >On my server, a client user can only see his own object: Are you using simple authentication mechanism?
>Maybe create a rule like this: >access to filter=(objectClass= >simpleSecurityObject) > by self read > by * none
I am not getting what the ACL rule specifies. Any suggestions?
I have two users ldap_6 and ldap_7. I want to restrict a user to
see his own data only. In slapd.conf, I specified the rule as follows: access to * by self write by * none
But ldap_6 can see the ldap_7 user entries (or vice versa) with $ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -b
"ou=People,dc=abc,dc=com" "uid=ldap_7"
Any suggestions?
On Wed, 30 Nov 2011 08:38:32 +0100 Raffael Sahli
<public@raffaelsahli.com mailto:public@raffaelsahli.com> wrote:
Yes, that's exactly the rule I wrote above.
access to filter=(objectClass= simpleSecurityObject) by self read by * none
Maybe you have to change the objectClass to posixAccount, or both or whatever....
access to filter=(|(objectClass=
simpleSecurityObject)(objectClass=posixAccount))
by self read
by * none
Just add this rule before the global rule "access to *"
ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -b "ou=People,dc=abc,dc=com" "uid=ldap_7"
And if you search like this with bind "admin dn", you will see every object.... You have to bind with user ldap_6 and not with root
But anyway client user knows the admin dn and rootbindpassword. So, with this he will look into all directory information to which he is not supposed to do. e.g. ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster
So, how to avoid this?
Why client user knows the admin dn and pw????????
Because /etc/ldap.conf file on client contains admin dn and pw.
Each user information in the directory contains the following
entries(here, e.g. ldap_6)
dn: uid=ldap_6,ou=People,dc=abc,dc=com uid: ldap_6 cn: ldap_6 sn: ldap_6 mail: ldap_6@abc.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: hostObject objectClass: simpleSecurityObject shadowLastChange: 13998 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 514 gidNumber: 514 homeDirectory: /home/ldap_6 host: * userPassword:: e2NyeXB0fSQxJGRUb1p6bVp5JGY2VFF5UWMxNndSbjdLcHpnMUlsdS8=
So, what should be the ACL rule so that each user can see his data
only? I tried but not getting the required, even >>the user himself is unable to see his own data.
--
Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.
The user itself is unable to see its own info.
[ldap_6@client]$ ldapsearch -x -v -b "dc=abc,dc=com" "(cn=ldap_6)" -h
server
ldap_initialize( ldap://server ) filter: (cn=ldap_6) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=abc,dc=com> with scope subtree # filter: (cn=ldap_6) # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
--
Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.
Can you show me your server as well as client side configuration settings?