[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Can domain admins be filtered out with ACLs?
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: Can domain admins be filtered out with ACLs?
- From: Igor Shmukler <igor.shmukler@gmail.com>
- Date: Wed, 15 Apr 2015 17:41:57 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=21uCriI5L/DzaCTwxvrZG/AgIq1jZz+cbQyVLDvY0HA=; b=T4J8YvmXv4o4dMWJZduAQhlTXx1Z3EWO2AUbHRqio3QIYHtQVZyleiCSn6cqH2ok1F QEbL/ukMNaYfQke9WgL7cdQypg/S8Sax5eSH7woC+p1AQcW0NfnlDu0ml7hQVsBeP88j 7xN1xswukgLx7mFaHRbxY1XZvVQHLzAZnczVNJYHhjUhmS+mzaGMsKigUqoO0WDq6yyz FFVysss2gsay7LKQWSS/I28KY0dtyp9fkr+8FUoaxoTwJAY75jKecx1u/ZkuEvX1BI9C N5/DBX/L7bm0E8VY5DLNAIQvqnxcmIfzAy6eeP00wb4OTkrzQvOxj83/VhINgeRPGXSm +hHQ==
Hello,
I tried to filter out everyone except cn=config when my ACL filter
rule is true (a NAME type attribute matches a value), so that password
authentication for filtered-out users would fail.
It works for regular users, and does not for admins. Is this because
my ACL rules are wrong, or is this a feature of OpenLDAP? Why no
matter what I do
My LDIF is below:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
filter=(serviceLevel=suspended)
by dn="cn=config" write
by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange
filter=(!(serviceLevel=suspended))
by self write
by anonymous auth
by dn="cn=admin,dc=directory,dc=com" write
by dn="cn=config" write
by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to *
filter=(serviceLevel=suspended)
by dn="cn=config" write
by * none
olcAccess: {4}to *
filter=(!(serviceLevel=suspended))
by self write
by dn="cn=admin,dc=directory,dc=com" write
by dn="cn=config" write
by * read
Is there something special about LDAP administrator, by design?
Thank you,
Igor Shmukler