> <mailto:
> <mailto:
public@raffaelsahli.com
<mailto:
public@raffaelsahli.com>>>
wrote:
> >> >>Hi
> >>
> >> >>I think you mean SSL connection or
the STARTTLS Layer...?
> >> >>Please read the manual
http://www.openldap.org/doc/admin24/tls.html
> >> >Ok.
> >>
> >> >>And tree security:
> >> >>On my server, a client user can only
see his own object:
> >> >Are you using simple authentication
mechanism?
> >>
> >> >>Maybe create a rule like this:
> >> >>access to filter=(objectClass=
> >> >>simpleSecurityObject)
> >> >> by self read
> >> >> by * none
> >>
> >> >I am not getting what the ACL rule
specifies. Any suggestions?
> >>
> >>
> >> I have two users ldap_6 and ldap_7. I
want to restrict a user to
> >> see his own data only.
> >> In slapd.conf, I specified the rule as
follows:
> >> access to *
> >> by self write
> >> by * none
> >>
> >> But ldap_6 can see the ldap_7 user
entries (or vice versa) with
> >> $ldapsearch -x -v -D
"cn=root,dc=abc,dc=com" -b
> >> "ou=People,dc=abc,dc=com" "uid=ldap_7"
> >>
> >> Any suggestions?
> >>
> >On Wed, 30 Nov 2011 08:38:32 +0100 Raffael Sahli
simpleSecurityObject)(objectClass=posixAccount))
> > by self read
> > by * none
>
>
> >Just add this rule before the global rule
"access to *"
>
>
> >>ldapsearch -x -v -D
"cn=root,dc=abc,dc=com" -b
> >>"ou=People,dc=abc,dc=com" "uid=ldap_7"
>
> >And if you search like this with bind "admin
dn", you will see every
> >object....
> >You have to bind with user ldap_6 and not with
root
> But anyway client user knows the admin dn and
rootbindpassword. So,
> with this he will look into all directory
information to which he is
> not supposed to do.
> e.g. ldapsearch -x -v -D "cn=root,dc=abc,dc=com"
-w cluster
>
> So, how to avoid this?
>
>>Why client user knows the admin dn and pw????????
>Because /etc/ldap.conf file on client contains admin dn
and pw.
>Each user information in the directory contains the
following entries(here, e.g. ldap_6)
>dn: uid=ldap_6,ou=People,dc=abc,dc=com
>uid: ldap_6
>cn: ldap_6
>sn: ldap_6
>mail:
ldap_6@abc.com
>objectClass: person
>objectClass: organizationalPerson
>objectClass: inetOrgPerson
>objectClass: posixAccount
>objectClass: top
>objectClass: shadowAccount
>objectClass: hostObject
>objectClass: simpleSecurityObject
>shadowLastChange: 13998
>shadowMax: 99999
>shadowWarning: 7
>loginShell: /bin/bash
>uidNumber: 514
>gidNumber: 514
>homeDirectory: /home/ldap_6
>host: *
>userPassword::
e2NyeXB0fSQxJGRUb1p6bVp5JGY2VFF5UWMxNndSbjdLcHpnMUlsdS8=
>So, what should be the ACL rule so that each user can
see his data only? I tried but not getting the required,
even the >user himself is unable to see his own data.
--
Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.