Hi, really appreciate your help.

1 - Well, users only authenticate their passwords, nothing else, on the client side to login to the server, so I guess anon logins should not be allowed.

2 - I use the Manager account to login to the phplpdapadmin console or apache directory studio.

3 - Password and groups and ppolicy

4 - Using pam on the client side, a human is expected to provide username and password which is working along with the ppolicy, expiration time , password lenght and so on. I can provide how's configured if you want.

Thanks for your time and support

Regards

2014-10-28 9:55 GMT-03:00 Andrew Findlay <andrew.findlay@skills-1st.co.uk>:

On Mon, Oct 27, 2014 at 03:43:03PM -0300, Net Warrior wrote:

> Based on the the ACL's I posted from my configuration, what else can you
> recommend to include, tweak or modify?

As both Michael and Dieter have said, this is very dependent on your
site's requirements and policy. You need to work out what those are.
If you can answer these questions, we might be able to help you some more:

1) Should an anonymous user be able to get any data at all?
(Ignore the root entry: we are talking about the subtree
under dc=domain,dc=com here)

2) What classes of user should have access to the data?
Examples might be:

LDAP administrator
Web applications
Desktop addressbook users
Webmail users
Directory synchronisation processes

3) For each of the above, what data (entries and attributes)
do they need?

4) How will the users authenticate to the LDAP service?
i.e. Will the user DNs and passwords be configured into
the applications, or is the human user expected to supply
a username and password each time?

Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------