On 11/30/2011 08:01 AM, Jayavant Patil wrote:
On Tue, Nov 29, 2011 at 6:26 PM, Jayavant Patil <jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com> wrote:
>>Mon, 28 Nov 2011 11:25:16 +0100 Raffael Sahli <public@raffaelsahli.com <mailto:public@raffaelsahli.com>> wrote: >>Hi >>I think you mean SSL connection or the STARTTLS Layer...? >>Please read the manual http://www.openldap.org/doc/admin24/tls.html >Ok. >>And tree security: >>On my server, a client user can only see his own object: >Are you using simple authentication mechanism? >>Maybe create a rule like this: >>access to filter=(objectClass= >>simpleSecurityObject) >> by self read >> by * none >I am not getting what the ACL rule specifies. Any suggestions? I have two users ldap_6 and ldap_7. I want to restrict a user to
see his own data only. In slapd.conf, I specified the rule as follows: access to * by self write by * none
But ldap_6 can see the ldap_7 user entries (or vice versa) with $ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -b
"ou=People,dc=abc,dc=com" "uid=ldap_7"
Any suggestions?
Yes, that's exactly the rule I wrote above.
access to filter=(objectClass=simpleSecurityObject) by self read by * none
Maybe you have to change the objectClass to posixAccount, or both or whatever....
access to filter=(|(objectClass=simpleSecurityObject)(objectClass=posixAccount)) by self read by * none
Just add this rule before the global rule "access to *"
ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -b
"ou=People,dc=abc,dc=com" "uid=ldap_7"
And if you search like this with bind "admin dn", you will see every object.... You have to bind with user ldap_6 and not with root
-- Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.
--
Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.