[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authentication Problem

I have an LDAP server that provides authentication credentials to apache via mod_auth_ldap. Everything is working great as fas as authentication goes. I want to provide a web based system that allows new users to create themselves in the LDAP directory. I have written the php pages for this create process. During development I have been using the rootdn and password when binding to the LDAP server. I don't want to have the rootdn password in text files. I figured I could create a php user that would be used by php when interacting with LDAP. I cannot figure out how to set up the access levels to allow the php user to only be able access "ou=people,dc=example,dc=com". I have setup the user "uid=php,ou=people,dc=example,dc=com", the rootdn is "uid=admin,ou=people,dc=example,dc=com". How do I setup slapd.conf where the "uid=php..." user can add new entries and read "*,ou=people,dc=example,dc=com" but not allowed to read anything else? I have tried lots of combos and tested using the ldapadd utility to no avail. I can replicate and show the errors if needed. Also, as a side question can I limit the access of the php user via the IP address?

(Current) slapd.conf:

security ssf=1 update_ssf=112 simple_bind=64

access to attr=userPassword
by self write
by anonymous auth
by dn.base="uid=admin,ou=people,dc=example,dc=com" write
by * none

access to *
by self write
by dn.base="uid=admin,ou=people,dc=example,dc=com" write
by * read