[Date Prev][Date Next] [Chronological] [Thread] [Top]

Let logged-in users see their accounts



I am using OpenLDAP 2.2.15 on RHES3.

I would like to let an account see its own attributes and what groups it
belongs to, but not be able to view other accounts or groups that it does
not belong to. This is a requirement of how a lot of applications work
(e.g., they look at the account you login as and check which groups you
belong to).

Right now I'm using the following ACL's:

access to attr=userPassword
       by self write
       by anonymous auth
       by * none

access to dn.subtree="ou=Accounts,dc=xxx"
       by users read

access to dn.subtree="ou=Groups,dc=xxx"
       by users read

These ACL's lets any user see other valid accounts and to see who belongs to
what groups. This is a tad unrestricted.

So I'm looking to do something like:

access to attr=userPassword
       by self write
       by anonymous auth
       by * none

access to dn.subtree="uid=[self],ou=Accounts,dc=xxx"
       by self read

access to dn.subtree="cn=[in-this-group],ou=Groups,dc=xxx"
       by self-in-group read

I hope I'm being clear here. :)

I have been reviewing slapd.access but haven't seen a solution so far. I'm
not sure if there is one.