[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Let logged-in users see their accounts
I am using OpenLDAP 2.2.15 on RHES3.
I would like to let an account see its own attributes and what groups it
belongs to, but not be able to view other accounts or groups that it does
not belong to. This is a requirement of how a lot of applications work
(e.g., they look at the account you login as and check which groups you
belong to).
Right now I'm using the following ACL's:
access to attr=userPassword
by self write
by anonymous auth
by * none
access to dn.subtree="ou=Accounts,dc=xxx"
by users read
access to dn.subtree="ou=Groups,dc=xxx"
by users read
These ACL's lets any user see other valid accounts and to see who belongs to
what groups. This is a tad unrestricted.
So I'm looking to do something like:
access to attr=userPassword
by self write
by anonymous auth
by * none
access to dn.subtree="uid=[self],ou=Accounts,dc=xxx"
by self read
access to dn.subtree="cn=[in-this-group],ou=Groups,dc=xxx"
by self-in-group read
I hope I'm being clear here. :)
I have been reviewing slapd.access but haven't seen a solution so far. I'm
not sure if there is one.