I prefer to define specific access like :
Reader anonymous can only auth, user after authentification can read and modify And i don't want to enter the cn=admin user password into client software, so i try to create a cn=redmine-user which i can use to bind with redmine ldap authentification, and which have right to write only a group ou=redmine .
Desactivate the anonymous Bind globally :
dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon
To force authentification globaly :
dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc
Or here an equivalent with ACL ? (but i don't see the difference between this two type of configuration ... )
olcaccess: to attrs=userPassword by self read by anonymous auth by * none
And after i need to make an ACL to authorize my cn=redmine-user to write only a group ou=redmine, but i have no idea to write this.
What do you think about that ? Thanks, best regards, Sr
On Sun, Dec 11, 2011 at 8:18 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Sat, 10 Dec 2011 14:14:58 +0100 schrieb rey sebastien reyman64@gmail.com:
Hello,
I search some information to make reader-only users on my openLDAP ..
I have already cn=reader-only, and my dn equal "dc=parisgeo,dc=cnrs,dc=fr"
How can i create a .ldif with specific configuration to remove anonymous user reading, and authorize the read of my ldap only with the cn=reader-only authentification ?
you may either make use of the database specific configuration parameter 'olcReadOnly: TRUE' as described in man slapd-config(5) or define an appropriate access rule, see man slapd-access(5) for further information.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E