Hi list,

I've been fighting with ACLs for quite a bit now and most things seems to work but I not quite everything I need. I am using OpenLDAP 2.4.21 (2.4.21-0ubuntu5.3) on Ubuntu 10.04.

A DN for a typical user looks like this (horribly long):

uid=foo@example.net,ou=users,domainName=example.net, ou=virtualDomains,dc=example,dc=com

What works is users authenticating against the director and changing their own password (using ldappasswd, i.e. the LDAP extended password modify operation). I also have an authentication user that may read most of the directory.

== What I want to achieve ==

a) Users such as just described should be able to:

a.1) traverse the directory from the top (the base being "dc=example,dc=com") and a.2) see only their own entry along with the parent/ancestor entries leading to it.

b) The directory should be as locked down as possible. Anonymous binds are not allowed, nor should users see any attributes other than their own.

Essentially I want users to be able to use tools like phpLDAPadmin and traverse the tree down to their own entry.

== What I have so far ==

Please comment if you find anything objectionable.

{0}to attrs=userPassword by dn="uid=authenticator,ou=services,dc=example,dc=com" read by self write by users auth by anonymous auth by * none {1}to dn.subtree="ou=virtualDomains,dc=example,dc=com" by dn="uid=authenticator,ou=services,dc=example,dc=com" read by users =d break {2}to dn.regex="uid=[^,]+,ou=users,domainName=[^,]+, \ ou=virtualDomains,dc=example,dc=com" by self read

This mostly works.

== What doesn't work ==

Users can authenticate and change passwords and don't see anything except their own entry, *IF* they specify their own DN as search base in i.e. ldapsearch. Tools like phpLDAPadmin are not happy with this and say that the top entry (dc=example,dc=com) doesn't exist ("No such object"). Which is of course consistent with the ACLs as specified.

So what do I need to do so users can specify "dc=example,dc=com" as search base and traverse the directory tree down to their own DN entry?

I must admit that ACLs in LDAP are far more complex than I would ever have guessed. It also doesn't help that many examples on ACLs have a world-readable directory (by * read) that just gets locked down a bit. I on the other hand want the directory completely locked down and open up only specific parts to users (and later groups).

Sorry for this long post. Any and all help is appreciated.

Thanks,

Andreas