[Date Prev][Date Next] [Chronological] [Thread] [Top]

Tons of configuration problems

To: openldap-software@OpenLDAP.org
Subject: Tons of configuration problems
From: "Geoffrey E. Gallaway" <geoffeg@fuse.net>
Date: Thu, 30 Sep 1999 10:58:02 -0400

Hello, this is my first posting. I'm moderatly new to ldap, I've skimmed
and read parts of the RFC's and the admin guide but a co-worker and I
are still having some problems:

I work for ZoomTown.com, an ADSL and Dial-In ISP and I'm setting up a
company directory. I have a person who will be administrating the
directory's contents and I am administrating the server, the LDAP
install, configuration and maintenance myself. We have some information
we wish to be "secure", such as the employees' homeTelephoneNumber and
homePostalAddress as these are only meant to be used for mailings and
such and only the directory admin will need to access this information.
Now, obviously we wish to secure the userPassword from being read by
anyone not connected as an authenticated user and we want anyone to be
able to search on the uid (for the purposes of web pages where the web
script will connect anonymously, do a search on the uid the person
entered, if the uid exists then it will try to connect as an
authenticated user and compare the password the user entered with the
password in the directory). Otherwise, we want all data readable only by
an authenticated user.

With that, I've attemped to write my own slapd.conf, but, upon every
revision something breaks or doesnt work correctly. This is a box
running linux with a redhat-6.0 distribution and a i believe a stock
2.2.5-15smp redhat kerel. The version of slapd currently running is
1.2.7. What I am asking for is help in correctly writing this ACL. Below
is my current slapd.conf ACL's, there is no "defaultaccess" directive,
lastmod is set to on and "suffix" is set to "o=Zoomtown.com,C=US"..

access to attr=userPassword,homeTelephoneNumber,homePostalAddress
        by self write
        by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
        by * none
access to attr=uid
        by self write
        by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
        by * search
access to attr=entry
        by self write
        by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
        by * none

And once again, these rules need to meet the following requirements:
* Authenticated users can do anything to their own homeTelephonenumber,
homePostalAddress and userPassword and "Directory Admin" can do anything
to those attributes. Anonymous users should *not* be able to do anything
to those attributes.
* Authenticated users can do anything to their own uid and Directory
Admin can do anything to the uid attribute. Anonymous users can only
search on uid (this is for the purposes of the web page authenitcation).
* As for the rest of the attributes not allready excepted by the
previous two rules, authenticated users can do anything to their own
attributes and Directory Admin can do anything to anyones attributes.
Anonymous people (non-authenticated) cant do a thing.

Those rules should take care of protecting all attributes.

Thanks,
Geoff (geoffeg@fuse.net)

Prev by Date: Re: Error: neighbour table overflow
Next by Date: Re: what's the simplest ldif record openLdap can accept?
Index(es):
- Chronological
- Thread