Hello all,
Since there is some time, I figured I rectify our openldap configuration and use proper ACLs.
We are using the following version on Solaris 10:
[xxxx:/opt/csw/libexec]$ ./slapd -V
@(#) $OpenLDAP: slapd 2.3.39 (Feb 22 2008 18:51:52) $
asmoore@ra
Our user subtree is organized as shown below:
o=suffix
ou=people,o=suffix
uid=kdz,ou=people,o=suffix
uid=hyc,ou=people,o=suffix
ou=removed_accounts,ou=people,o=suffix
uid=abcd,ou=removed_accounts,ou=people,o=suffix
uid=efgh,ou=removed_accounts,ou=people,o=suffix
Basically, I want a getent passwd not to list entries below ou=removed_accounts,ou=people,o=suffix, for a client application still considers the removed accounts as users (it probably searches the whole subtree).
I read the documentation for 2.3:
http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control http://www.openldap.org/doc/admin23/slapdconfig.html
And found this:
The scope can be either base, one, subtree, or children. Where base matches only the entry with provided DN, one matches the entries whose parent is the provided DN, subtree matches all entries in the subtree whose root is the provided DN, and children matches all entries under the DN (but not the entry named by the DN).
So, I figured that an ACL (no global ACLs any longer) like this
access to dn.one="ou=People,o=suffix" by * write
Should hide the removed accounts and only show the active ones.
But it does not, it still contains all the children of
ou=removed_accounts,ou=people,o=suffix
And of
ou=people,o=suffix
Using dn.base="ou=People,o=suffix" by * write
Works as expected and getent passwd not return any ldap users, solely the /etc/passwd users.
The client system in question is a Solaris 10 machine, I have kept the client configuration unchanged for the tests so far:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 127.0.0.1
NS_LDAP_SEARCH_BASEDN= o=suffix
NS_LDAP_SEARCH_TIME= 90
NS_LDAP_CACHETTL= 0
There are only two other ACLs in place:
1. access to dn.one="ou=Group,o=siemensmedical.com" by * write
This one works fine, getent group returns all the groups it should return and the changes can be done as well.
2. access to dn.subtree="ou=Roles,o=siemensmedical.com" by * write
This one works fine as well, it returns the role structure as requested and changes work as well.
Where am I making a mistake?
Best regards,
Claus