On 12/01/2011 02:42 PM, Jayavant Patil wrote:
On Wed, 30 Nov 2011 14:18:00 +0100  Raffael Sahli <public@raffaelsahli.com> wrote:
>On 11/30/2011 01:48 PM, Jayavant Patil wrote:
>
>
> >>On 11/30/2011 08:01 AM, Jayavant Patil wrote:
> >>
> >>
> >> On Tue, Nov 29, 2011 at 6:26 PM, Jayavant Patil
> >> <jayavant.patil82@gmail.com <mailto:jayavant.patil82@gmail.com>
> <mailto:jayavant.patil82@gmail.com
> <mailto:jayavant.patil82@gmail.com>>> wrote:
> >>
> >>
> >> >>Mon, 28 Nov 2011 11:25:16 +0100 Raffael Sahli
> >> <public@raffaelsahli.com <mailto:public@raffaelsahli.com>
> <mailto:public@raffaelsahli.com <mailto:public@raffaelsahli.com>>> wrote:
> >> >>Hi
> >>
> >> >>I think you mean SSL connection or the STARTTLS Layer...?
> >> >>Please read the manual http://www.openldap.org/doc/admin24/tls.html
> >> >Ok.
> >>
> >> >>And tree security:
> >> >>On my server, a client user can only see his own object:
> >> >Are you using simple authentication mechanism?
> >>
> >> >>Maybe create a rule like this:
> >> >>access to filter=(objectClass=
> >> >>simpleSecurityObject)
> >> >>      by self read
> >> >>        by * none
> >>
> >> >I am not getting what the ACL rule specifies. Any suggestions?
> >>
> >>
> >>      I have two users ldap_6 and ldap_7. I want to restrict a user to
> >> see his own data only.
> >>      In slapd.conf, I specified the rule as follows:
> >>            access to *
> >>               by self write
> >>               by * none
> >>
> >>      But ldap_6 can see the ldap_7 user entries (or vice versa) with
> >>       $ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -b
> >> "ou=People,dc=abc,dc=com" "uid=ldap_7"
> >>
> >>    Any suggestions?
> >>
> >On Wed, 30 Nov 2011 08:38:32 +0100 Raffael Sahli
> <public@raffaelsahli.com <mailto:public@raffaelsahli.com>> wrote:
> >Yes, that's exactly the rule I wrote above.
>
> >access to filter=(objectClass=
> >simpleSecurityObject)
> >   by self read
> >   by * none
>
>
> >Maybe you have to change the objectClass to posixAccount, or both or
> >whatever....
>
> >access to
> >filter=(|(objectClass=
simpleSecurityObject)(objectClass=posixAccount))
> >      by self read
> >    by * none
>
>
> >Just add this rule before the global rule "access to *"
>
>
> >>ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -b
> >>"ou=People,dc=abc,dc=com" "uid=ldap_7"
>
> >And if you search like this with bind "admin dn", you will see every
> >object....
> >You have to bind with user ldap_6 and not with root
> But anyway client user knows the admin dn and rootbindpassword. So,
> with this he will look into all directory information to which he is
> not supposed to do.
> e.g. ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -w cluster
>
> So, how to avoid this?
>


>Why client user knows the admin dn and pw????????

Because /etc/ldap.conf file on client contains admin dn and pw.

Why??? Thats not really secure...
You can write the password of the admin dn in a separate file with chmod 0400 (root ower)
Please read the man pages for that, its diffrent in every distr.






Each user information in the directory contains the following entries(here, e.g. ldap_6)


dn: uid=ldap_6,ou=People,dc=abc,dc=com
uid: ldap_6
cn: ldap_6
sn: ldap_6
mail: ldap_6@abc.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: hostObject
objectClass: simpleSecurityObject
shadowLastChange: 13998
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 514
gidNumber: 514
homeDirectory: /home/ldap_6
host: *
userPassword:: e2NyeXB0fSQxJGRUb1p6bVp5JGY2VFF5UWMxNndSbjdLcHpnMUlsdS8=


So, what should be the ACL rule so that each user can see his data only? I tried but not getting the required, even the user himself is unable to see his own data.


--

Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.



-- 
Raffael Sahli
public@raffaelsahli.com