[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs to allow users to traverse DIT down to their own entry, lock down everything else

To: openldap-technical@openldap.org
Subject: ACLs to allow users to traverse DIT down to their own entry, lock down everything else
From: Andreas Ntaflos <daff@pseudoterminal.org>
Date: Wed, 5 Jan 2011 17:53:13 +0100
User-agent: KMail/1.13.5 (Linux/2.6.32-25-generic; KDE/4.5.3; x86_64; ; )

Hi list, 

I've been fighting with ACLs for quite a bit now and most things seems 
to work but I not quite everything I need. I am using OpenLDAP 2.4.21 
(2.4.21-0ubuntu5.3) on Ubuntu 10.04.

A DN for a typical user looks like this (horribly long):

uid=foo@example.net,ou=users,domainName=example.net,
  ou=virtualDomains,dc=example,dc=com

What works is users authenticating against the director and changing 
their own password (using ldappasswd, i.e. the LDAP extended password 
modify operation). I also have an authentication user that may read most 
of the directory.

== What I want to achieve ==

a) Users such as just described should be able to: 

  a.1) traverse the directory from the top (the base being 
"dc=example,dc=com") and
  a.2) see only their own entry along with the parent/ancestor entries 
leading to it.

b) The directory should be as locked down as possible. Anonymous binds 
are not allowed, nor should users see any attributes other than their 
own.

Essentially I want users to be able to use tools like phpLDAPadmin and 
traverse the tree down to their own entry.

== What I have so far ==

Please comment if you find anything objectionable.

{0}to attrs=userPassword 
  by dn="uid=authenticator,ou=services,dc=example,dc=com" read 
  by self write
  by users auth
  by anonymous auth 
  by * none
{1}to dn.subtree="ou=virtualDomains,dc=example,dc=com" 
  by dn="uid=authenticator,ou=services,dc=example,dc=com" read
  by users =d break
{2}to dn.regex="uid=[^,]+,ou=users,domainName=[^,]+, \
    ou=virtualDomains,dc=example,dc=com" 
  by self read

This mostly works. 

== What doesn't work ==

Users can authenticate and change passwords and don't see anything 
except their own entry, *IF* they specify their own DN as search base in 
i.e. ldapsearch. Tools like phpLDAPadmin are not happy with this and say 
that the top entry (dc=example,dc=com) doesn't exist ("No such object"). 
Which is of course consistent with the ACLs as specified.

So what do I need to do so users can specify "dc=example,dc=com" as 
search base and traverse the directory tree down to their own DN entry?

I must admit that ACLs in LDAP are far more complex than I would ever 
have guessed. It also doesn't help that many examples on ACLs have a 
world-readable directory (by * read) that just gets locked down a bit. I 
on the other hand want the directory completely locked down and open up 
only specific parts to users (and later groups).

Sorry for this long post. Any and all help is appreciated.

Thanks, 

Andreas

Attachment: signature.asc
Description: This is a digitally signed message part.

Follow-Ups:
- Re: ACLs to allow users to traverse DIT down to their own entry, lock down everything else
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: problem enabling ssl on openldap 2.2.13
Next by Date: Re: DynList + posixGroup and permission to Dir
Index(es):
- Chronological
- Thread