[Date Prev][Date Next] [Chronological] [Thread] [Top]

restrict ldapsearch to manager

To: openldap-software <openldap-software@OpenLDAP.org>
Subject: restrict ldapsearch to manager
From: Omar Al-Tabari <otabari@batelco.jo>
Date: Thu, 17 Mar 2005 15:33:04 +0200
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

Hi, I'm using Openldap: slapd 2.2.13 on fedora core 3 with start_tls, I've created the server certificate and when i search the ldap server using this command i get the reply i need: ldapsearch -x -b "dc=xxx,dc=mycompany,dc=com" -H ldap://xxx.mycompany.com and when i also use the command : ldapsearch -x -b "dc=xxx,dc=mycompany,dc=com" -H ldap://xxx.mycompany.com -ZZ i also get the output of the entire tree same as before, but thats not what i want, i dont want anyone to search my tree, and only those with the correct certificate are allowed to do so, or if i can restrict the search even more that would be better. is there a way to do it? thank you in advance.

p.s:
I currently have slapd.conf:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCACertificateFile    /etc/openldap/cert/cacert.pem
TLSCertificateFile      /etc/openldap/cert/servercert.pem
TLSCertificateKeyFile   /etc/openldap/cert/serverkey.pem

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

# Sample access control policy:
access to *
 by dn.exact="cn=reader,dc=xxx,dc=mycompany,dc=com" read stop
 by * none break
access to attr=userPassword
       by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write
       by self write
       by anonymous auth
       by * none
access to *
       by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write
       by * read
# rootdn can always read and write EVERYTHING!

#limits dn.exact="cn=reader,dc=xxx,dc=mycompany,dc=com" size=unlimited time=unlimited

#######################################################################
# ldbm and/or bdb database definitions

database        bdb
suffix          "dc=xxx,dc=mycompany,dc=com"
rootdn          "cn=manager,dc=xxx,dc=mycompany,dc=com"
# Use of strong authentication encouraged.
rootpw          {SSHA}711roDqrHM9WGYMCYeBCrNbVpfZYhwFO
#rootpw         secret

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index sambaSID                  eq
index sambaPrimaryGroupSID      eq

Follow-Ups:
- Re: restrict ldapsearch to manager
  - From: Karsten Gorling <kgorling@physik.TU-Berlin.DE>

Prev by Date: Re: Distributed LDAP
Next by Date: Re: restrict ldapsearch to manager
Index(es):
- Chronological
- Thread