[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: read access control is required.

MS Cheung writes:
> We would like to set up an access control to allow the mail server has
> a read access to all the LDAP data; but the end users only have a read
> access to their own personal data.  Would someone please help to
> provide us an example of the ACL setup.

# Since users need to Bind (presumably with passwords), require
# TLS connections for that - reject Bind requests which sent
# passwords unprotected over the net.
# (You may need another security strength factor than 128, depending
# on your setup.)
security                simple_bind=128
TLSCertificateFile      ...
TLSCertificateKeyFile   ...
TLSCACertificateFile    ...

# Passwords can only be used for authenication, they can
# never be read (except by rootdn).
access to attrs=userPassword by * auth

# Not sure if your mail server authenticates as some user,
# or if you want to provide access to its IP address, or
# what -- you may wish to delete either the dn.exact part
# or the peername part.
access to * by dn.exact=cn=mailserver,dc=example,dc=com
            by self read
            by *    none