Re: openLDAP Access Control mechanism

["Alan Sparks" <asparks@cpd.harris.com>]

-----Original Message-----
From: Lim Swee Tat <limst@ncs.com.sg>
>Note the following.  How many of you are currently using userpassword or
some
>other field in the server as the authentication means for binding a user.
I
>am.  I'll like that only the user be able to authenticate him/herself and
write
>to it.


I do.  Fairly simple to set up an ACL in the config to allow the directory
admin to have full access to any entry, and a user bound to a specific entry
to have write control over it.  And, set defaults for anyone else.  This is
done most simply by adding a userpassword attribute to each entry, and using
a simple_bind with the DN and password.

>
>But look then at the access control level??... I quote...
>Note that an access level implies all lesser access levels (eg. write
access
>implies read, search and compare).
>Now in the organization, I dun think in terms of deployment, read access
even
>to self is a good idea for allowing access to.


Read access to self is a good thing, otherwise a person can't review his
entry.  And a directory that doesn't open read access to an audience isn't
much use.  Unless the directory is to be used by servers or applications in
a hidden capacity, that is.  Depends on your intended usage...

I did something like the following for a recent project:

=============
defaultaccess none

access to attr=userpassword
 by self write
 by dn="cn=Directory Manager,o=myroot" write
 by * compare

access to *
 by self write
 by dn="cn=Directory Manager,o=myroot" write
 by domain=.*\.mydomain\.com read
 by domain=localhost read
 by dn=".*,ou=users,o=myroot" read
 by * none
==============