[Date Prev][Date Next]
Re: read access control is required.
MS Cheung writes:
> We would like to set up an access control to allow the mail server has
> a read access to all the LDAP data; but the end users only have a read
> access to their own personal data. Would someone please help to
> provide us an example of the ACL setup.
# Since users need to Bind (presumably with passwords), require
# TLS connections for that - reject Bind requests which sent
# passwords unprotected over the net.
# (You may need another security strength factor than 128, depending
# on your setup.)
# Passwords can only be used for authenication, they can
# never be read (except by rootdn).
access to attrs=userPassword by * auth
# Not sure if your mail server authenticates as some user,
# or if you want to provide access to its IP address, or
# what -- you may wish to delete either the dn.exact part
# or the peername part.
access to * by dn.exact=cn=mailserver,dc=example,dc=com
by self read
by * none