On 11/30/2011 08:01 AM, Jayavant Patil wrote:


On Tue, Nov 29, 2011 at 6:26 PM, Jayavant Patil <jayavant.patil82@gmail.com> wrote:

>>Mon, 28 Nov 2011 11:25:16 +0100 Raffael Sahli <public@raffaelsahli.com> wrote:
>>Hi

>>I think you mean SSL connection or the STARTTLS Layer...?
>>Please read the manual http://www.openldap.org/doc/admin24/tls.html
 >Ok.

>>And tree security:
>>On my server, a client user can only see his own object:
>Are you using simple authentication mechanism?

>>Maybe create a rule like this:
>>access to filter=(objectClass=
>>simpleSecurityObject)
>>      by self read
>>        by * none

>I am not getting what the ACL rule specifies. Any suggestions?

     I have two users ldap_6 and ldap_7. I want to restrict a user to see his own data only.
     In slapd.conf, I specified the rule as follows:
           access to *
              by self write
              by * none

     But ldap_6 can see the ldap_7 user entries (or vice versa) with
      $ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -b "ou=People,dc=abc,dc=com" "uid=ldap_7"

   Any suggestions?
  

Yes, that's exactly the rule I wrote above.

access to filter=(objectClass=simpleSecurityObject)
     by self read
     by * none


Maybe you have to change the objectClass to posixAccount, or both or whatever....

access to filter=(|(objectClass=simpleSecurityObject)(objectClass=posixAccount))
        by self read
        by * none


Just add this rule before the global rule "access to *"


>ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -b "ou=People,dc=abc,dc=com" "uid=ldap_7"

And if you search like this with bind "admin dn", you will see every object....
You have to bind with user ldap_6 and not with root





  

--

Thanks & Regards,

Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.




--

Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.



-- 
Raffael Sahli
public@raffaelsahli.com