LebGeeks
A community for technology geeks in Lebanon.
You are not logged in.
- Topics: Active • Unanswered
Pages: 1
#1 September 18 2014
- Joe
- Member
[OpenLDAP] Access Control
I'm setting up an LDAP system. Here's the LDIF export of my schema:
version: 1
# Entry 1: dc=identity,dc=example,dc=it
dn: dc=identity,dc=example,dc=it
dc: identity
o: Example
objectclass: top
objectclass: dcObject
objectclass: organization
# Entry 2: cn=admin,dc=identity,dc=example,dc=it
dn: cn=admin,dc=identity,dc=example,dc=it
cn: admin
description: LDAP administrator
objectclass: simpleSecurityObject
objectclass: organizationalRole
# Entry 3: ou=groups,dc=identity,dc=example,dc=it
dn: ou=groups,dc=identity,dc=example,dc=it
objectclass: organizationalUnit
objectclass: top
ou: groups
# Entry 4: cn=manager,ou=groups,dc=identity,dc=example,dc=it
dn: cn=manager,ou=groups,dc=identity,dc=example,dc=it
cn: manager
gidnumber: 500
objectclass: posixGroup
objectclass: top
# Entry 5: cn=developer,ou=groups,dc=identity,dc=example,dc=it
dn: cn=developer,ou=groups,dc=identity,dc=example,dc=it
cn: developer
gidnumber: 501
objectclass: posixGroup
objectclass: top
# Entry 6: ou=users,dc=identity,dc=example,dc=it
dn: ou=users,dc=identity,dc=example,dc=it
objectclass: organizationalUnit
objectclass: top
ou: users
# Entry 7: cn=First User,ou=users,dc=identity,dc=example,dc=it
dn: cn=First User,ou=users,dc=identity,dc=example,dc=it
cn: First User
gidnumber: 500
givenname: First
homedirectory: /home/users/fuser
loginshell: /bin/sh
mail: first.user@example.it
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: User
uid: fuser
uidnumber: 1001
# Entry 8: cn=Second User,ou=users,dc=identity,dc=example,dc=it
dn: cn=Second User,ou=users,dc=identity,dc=example,dc=it
cn: Second User
gidnumber: 501
givenname: Second
homedirectory: /home/users/suser
loginshell: /bin/sh
mail: second.user@example.it
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: User
uid: suser
uidnumber: 1002As of right now, any user can modify every other user in the directory. It's like everyone has a write permission on everything.
I'd like to manage access control such as, an account can only be modified by:
1. The account itself
2. Any member of the manager group (gidNumber == 501)
3. The LDAP admin
How can I proceed?
EDIT: Here are the current ACL settings. They're the default of the Ubuntu packages. Maybe this can help:
~# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=identity,dc=example,dc=it" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=identity,dc=example,dc=it"
write by * read
Pages: 1