--On Friday, April 29, 2022 8:45 PM +0000 gerson.garcia@itron.com wrote:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to dn.subtree="dc=nocinbox,dc=inc" by set="[cn=sec-admin,ou=groups,dc=nocinbox,dc=inc]/memberUid & user/uid" write by * read
And only secadmin can make changes in the LDAP, that is great.
However, all other users can ldapsearch:
$ ldapsearch -x -v -H ldaps://openldap:636 -b "dc=nocinbox,dc=inc" -D "cn=admin,ou=users,dc=nocinbox,dc=inc" -W | grep numResponses ldap_initialize( ldaps://openldap:636/??base ) Enter LDAP Password: filter: (objectclass=*) requesting: All userApplication attributes # numResponses: 29
Is there any olcAccess configuration I can used to not allow any user to run ldapsearch but still able to authenticate them? They still need to ssh and access some web servers.
I suggest reading slapd.access(5) and understanding what "by * read" implies and then adjust your ACLs accordingly.
--Quanah