Re: permissions (acl) for nss_ldap

[Craig Squires <csquires@math.mun.ca>]

Hi,

Something like the following will do:

access to attr=userPassword
        by self =w
        by dn="your-admin-dn-here" write
        by anonymous =x
        by * none

access to attr=objectClass
        by dn="your-admin-dn-here" write
        by * read

In this order, the security of your password will be protected, but the
read access to the objectClass possixAccount needed by nss_ldap will be
provided. You can't specify access to possixAccount without giving access
to objectClass because the former is a value of the latter.

Your rootbinddn should then be whatever you set as your admindn. You could
also set up a special user to do this root binding. I use the same one I
use for replication. You will need to put the password for this user in
/etc/ldap.secret in plain text, so this file should be readable only by
root.

Craig

On Mon, 14 Jan 2002, Stephan Lauffer wrote:

> hi!
>
> hope it's not to OT here...
>
> maybe somebody has allready checked out acl settings
> for the use of nss_ldap (objectclass: possixAccount should
> define the needed attributes).
> I wanna have a minimum of needed permissions.
> Thinking about adding a new "rootbinddn" (see ldap.conf)
> for every host using nss_ldap...
> Can somebody please tell me what permissions are needed
> for nss_ldap?
>
> Liebe Gruesse, with best regards
> Stephan Lauffer
>
> [ Pedagogical University Freiburg - Germany ]
> [ http://www.ph-freiburg.de/zik/            ]
>

-- 
........................................................................
$Id: mathdeptsysadmin,v 1.0 Mon Jan 14 11:13:23 2002 Craig Squires Exp $