[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access



Hi all,

I just subscribed to this list, and hope that someone can help me.

I have installed openLDAP 1.2.11 through RPM's on my RedHat 7 machine. I
have also transferred all of my user accounts to the LDAP directory, and I
can authenticate my users through the LDAP directory.

However, my LDAP directory is world-readable, this is not something I am
keen on, since there are passwords (which the users need to authenticate to
the system) in the directory. I've tried varios access scenarios, but none
of them works. There either to restrictive, or the LDAP deamon chokes on it.

What I would like to have is an LDAP directory that is:
- not world-readable, exept for the cn, gecos and mail attributes of the
users.
- users can read their information, and that of others, expect the
userpassword attribute.
- users may change their own userpassword attribute.

Is this feasable? (For instance: I don't know if PAM still works if the LDAP
directory wouldn't be world-readable anymore)
Does anybody has a set of access rules that accomplishes the above?

Any help would be appreciated,

    A. Brinkman
    eon@eon.za.net