|OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Access Control : More information about Access Control|
Warning: This is an attempt at documenting the access
control facilities in OpenLDAP 2.0. I wrote it precisely because I
did not understand them. So I started reading the source and
collecting comments from the mailing lists until I could get the
general picture. But I am not sure I have understood the thing myself.
So please, please, please, do fix anything I got wrong.
As the directory gets populated with more and more data of varying sensitivity, controlling the kinds of access granted to the directory becomes more and more critical. For instance, the directory may contain data of a confidential nature that you may need to protect by contract or by law. Or, if using the directory to control access to other services (using pam_ldap, Apache's auth_ldap, etc.), inappropriate access to the directory may create avenues of attack to your site's security that result in devastating damage to your assets.
So far, subverting the directory to get access to a site has not been a common method of attack, but it is only a matter of time before we start seeing attacks of this kind as directories become more of a common infrastructure. If you plan to use a directory with such sensitive information, it is imperative that you learn how to specify what others will be able to see or modify.
OpenLDAP 2.0 comes with a great many enhancements in the access
control area. These many new features are currently poorly
documented. This document is an attempt at documenting them and
reflects my understanding from the code and comments in the mailing
lists. However, I do not claim that what described here actually
reflects what happens.
Versioning issuesMost of the following access-related FAQs were initially written by volunteers when moving from OpenLDAP 1.X to OpenLDAP 2.0. Many details changed from 2.0 to 2.1 and 2.2, so some of the answers may now be outdated. If you find answers that do not indicate the version they refer to, they might be outdated, so please use with care. Always refer to slapd.access(5) for the ultimate answer on any details concerning access control. Answers will be (slowly) reviewed, and the appropriateness of every detail for the supported versions (as of the time of this writing, 2.1 and 2.2) will be highlighted. Thanks to those who will cooperate by posting new answers or by fixing existing ones. List of known versioning issues
Answers in this category:
|[New Answer in "More information about Access Control"]|
|Next:||Access control customization|