[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: What attributes to authenticate (or) How to block the ldap tree for anonymous users

Hi Holger,

I'd try with the following ACLs:

access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=admin,dc=example,dc=com" write
        by users read
        by * none

This way you'll be allowing unauthenticated users to log in using
their password fields and you'll restrict read access on the rest of
the base to authenticated users. The first ACL also allows users to
change their own passwords (write in the userPassword and
shadowLastChange attributes).

2010/9/29 Holger Schier <hschier@mathematik.uni-mainz.de>:
> Hey guys,
> I am working with the LSEE 11 and trying to run a LDAP server. From scratch
> on everything went fine. With the standard configuration I can login, but if
> I use the LDAP Browser and hit anonymous access, I can see my whole LDAP
> tree. User name, mailaddresses and so on. And I am not happy with it.
> So I tried to change the access control from
> access to * by * read
> to
> access to * by * auth
> or
> access to * by * search
> The user password is already in auth mode.
> But with every other configuration instead of read, I cannot login anymore.
> Insufficient access. After the first try with auth I read the log files and
> saw that there is a search operation. So i switched to search. Now the
> server denies some read operations.
> So, my questions are: Is it just normal that anyone can see the LDAP tree?
> Is there any other option to hide my tree? And what attributes have to be
> readable to login?
> Thanks a lot.
> Holger

Diego Lima