On 12/02/2011 07:49 AM, Jayavant Patil wrote:
On Thu, Dec 1, 2011 at 7:12 PM, Jayavant Patil <jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com> wrote:
On Wed, 30 Nov 2011 14:18:00 +0100 Raffael Sahli <public@raffaelsahli.com <mailto:public@raffaelsahli.com>> wrote: >On 11/30/2011 01:48 PM, Jayavant Patil wrote: > > > >>On 11/30/2011 08:01 AM, Jayavant Patil wrote: > >> > >> > >> On Tue, Nov 29, 2011 at 6:26 PM, Jayavant Patil > >> <jayavant.patil82@gmail.com <mailto:jayavant.patil82@gmail.com> <mailto:jayavant.patil82@gmail.com <mailto:jayavant.patil82@gmail.com>> > <mailto:jayavant.patil82@gmail.com <mailto:jayavant.patil82@gmail.com> > <mailto:jayavant.patil82@gmail.com <mailto:jayavant.patil82@gmail.com>>>> wrote: > >> > >> > >> >>Mon, 28 Nov 2011 11:25:16 +0100 Raffael Sahli > >> <public@raffaelsahli.com <mailto:public@raffaelsahli.com> <mailto:public@raffaelsahli.com <mailto:public@raffaelsahli.com>> > <mailto:public@raffaelsahli.com <mailto:public@raffaelsahli.com> <mailto:public@raffaelsahli.com <mailto:public@raffaelsahli.com>>>> wrote: > >> >>Hi > >> > >> >>I think you mean SSL connection or the STARTTLS Layer...? > >> >>Please read the manual http://www.openldap.org/doc/admin24/tls.html > >> >Ok. > >> > >> >>And tree security: > >> >>On my server, a client user can only see his own object: > >> >Are you using simple authentication mechanism? > >> > >> >>Maybe create a rule like this: > >> >>access to filter=(objectClass= > >> >>simpleSecurityObject) > >> >> by self read > >> >> by * none > >> > >> >I am not getting what the ACL rule specifies. Any suggestions? > >> > >> > >> I have two users ldap_6 and ldap_7. I want to restrict a user to > >> see his own data only. > >> In slapd.conf, I specified the rule as follows: > >> access to * > >> by self write > >> by * none > >> > >> But ldap_6 can see the ldap_7 user entries (or vice versa) with > >> $ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -b > >> "ou=People,dc=abc,dc=com" "uid=ldap_7" > >> > >> Any suggestions? > >> > >On Wed, 30 Nov 2011 08:38:32 +0100 Raffael Sahli > <public@raffaelsahli.com <mailto:public@raffaelsahli.com> <mailto:public@raffaelsahli.com <mailto:public@raffaelsahli.com>>> wrote: > >Yes, that's exactly the rule I wrote above. > > >access to filter=(objectClass= > >simpleSecurityObject) > > by self read > > by * none > > > >Maybe you have to change the objectClass to posixAccount, or both or > >whatever.... > > >access to > >filter=(|(objectClass= simpleSecurityObject)(objectClass=posixAccount)) > > by self read > > by * none > > > >Just add this rule before the global rule "access to *" > > > >>ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -b > >>"ou=People,dc=abc,dc=com" "uid=ldap_7" > > >And if you search like this with bind "admin dn", you will see every > >object.... > >You have to bind with user ldap_6 and not with root > But anyway client user knows the admin dn and rootbindpassword. So, > with this he will look into all directory information to which he is > not supposed to do. > e.g. ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster > > So, how to avoid this? > >>Why client user knows the admin dn and pw???????? >Because /etc/ldap.conf file on client contains admin dn and pw. >Each user information in the directory contains the following entries(here, e.g. ldap_6) >dn: uid=ldap_6,ou=People,dc=abc,dc=com >uid: ldap_6 >cn: ldap_6 >sn: ldap_6 >mail: ldap_6@abc.com <mailto:ldap_6@abc.com> >objectClass: person >objectClass: organizationalPerson >objectClass: inetOrgPerson >objectClass: posixAccount >objectClass: top >objectClass: shadowAccount >objectClass: hostObject >objectClass: simpleSecurityObject >shadowLastChange: 13998 >shadowMax: 99999 >shadowWarning: 7 >loginShell: /bin/bash >uidNumber: 514 >gidNumber: 514 >homeDirectory: /home/ldap_6 >host: * >userPassword:: e2NyeXB0fSQxJGRUb1p6bVp5JGY2VFF5UWMxNndSbjdLcHpnMUlsdS8= >So, what should be the ACL rule so that each user can see his data only? I tried but not getting the required, even the >user himself is unable to see his own data. -- Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.
The user itself is unable to see its own info.
[ldap_6@client]$ ldapsearch -x -v -b "dc=abc,dc=com" "(cn=ldap_6)" -h server ldap_initialize( ldap://server ) filter: (cn=ldap_6) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=abc,dc=com> with scope subtree # filter: (cn=ldap_6) # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
Please inspect the debug log on your slapd server. If you set the log level to 128 or 256, you will see any error about "32 No such object".
--
Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.