[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP reader-only users , and removing anonymous user reading ?



I prefer to define specific access like :

Reader anonymous can only auth,
user after authentification can read and modify
And i don't want to enter the cn=admin user password into client software,
 so i try to create a cn=redmine-user which i can use to bind with redmine ldap authentification, and which have right to write only a group ou=redmine .

Desactivate the anonymous Bind globally   :

dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

To force authentification globaly :

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

Or here an equivalent with ACL ? (but i don't see the difference between this two type of configuration ... )
olcaccess: to attrs=userPassword
  by self read
  by anonymous auth
  by * none

And after i need to make an ACL to authorize my cn=redmine-user to write only a group ou=redmine, but i have no idea to write this.

What do you think about that ?
Thanks, best regards,
Sr


On Sun, Dec 11, 2011 at 8:18 AM, Dieter Klünter <dieter@dkluenter.de> wrote:
Am Sat, 10 Dec 2011 14:14:58 +0100
schrieb rey sebastien <reyman64@gmail.com>:

> Hello,
>
> I search some information to make reader-only users on my openLDAP ..
>
> I have already cn=reader-only, and my dn equal
> "dc=parisgeo,dc=cnrs,dc=fr"
>
> How can i create a .ldif with specific configuration to remove
> anonymous user reading, and authorize the read of my ldap only with
> the cn=reader-only authentification ?

you may either make use of the database specific configuration
parameter 'olcReadOnly: TRUE'  as described in man slapd-config(5) or
define an appropriate access rule, see  man slapd-access(5) for further
information.


-Dieter

--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E




--