Re: ACLs whont work
Dario Zanzico wrote:
On Wed, Sep 23, 2015, at 10:36 AM, Fischer, Johannes wrote:
> I struggle with the ACLs, I whant a special account to check the username
> and PW of the entries on the LDAP-server.
> Therefore I’ve written the following in the slapd.conf file:
>
> access to attrs=userPassword
> by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
> by self write
> by anonymous none
this acl makes everyone able to write everything (except the password
that can be written by cn=authenticate and self),
and makes it impossible to bind not-anonimously
if you want users to be able to authenticate you shoud give 'anonymous'
users auth permissions to the userpassword attr:
access to attrs=userpassword
# allow connections to bind as user
by anonymous auth
# allow self password change
by self write
# allow cn=authenticate password change
by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
Also note that "write" also includes "read" access which is not
necessary.
Better use privileges.
I've compiled some of my usual simple patterns into this example config:
https://build.opensuse.org/package/view_file/home:stroeder:branches:netwo...
YMMV. So everybody caring for real access control should really dive into
slapd.access(5) [1].
[1] http://www.openldap.org/software/man.cgi?query=slapd.access
Ciao, Michael.
Attachments:
- smime.p7s (application/pkcs7-signature — 4.1 KB)