[Date Prev][Date Next] [Chronological] [Thread] [Top]

restrict ldapsearch to manager



Hi,
I'm using Openldap: slapd 2.2.13 on fedora core 3 with start_tls, I've created the server certificate and when i search the ldap server using this command i get the reply i need:
ldapsearch -x -b "dc=xxx,dc=mycompany,dc=com" -H ldap://xxx.mycompany.com
and when i also use the command :
ldapsearch -x -b "dc=xxx,dc=mycompany,dc=com" -H ldap://xxx.mycompany.com -ZZ
i also get the output of the entire tree same as before, but thats not what i want, i dont want anyone to search my tree, and only those with the correct certificate are allowed to do so, or if i can restrict the search even more that would be better.
is there a way to do it?
thank you in advance.


p.s:
I currently have slapd.conf:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCACertificateFile    /etc/openldap/cert/cacert.pem
TLSCertificateFile      /etc/openldap/cert/servercert.pem
TLSCertificateKeyFile   /etc/openldap/cert/serverkey.pem

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

# Sample access control policy:
access to *
 by dn.exact="cn=reader,dc=xxx,dc=mycompany,dc=com" read stop
 by * none break
access to attr=userPassword
       by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write
       by self write
       by anonymous auth
       by * none
access to *
       by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write
       by * read
# rootdn can always read and write EVERYTHING!

#limits dn.exact="cn=reader,dc=xxx,dc=mycompany,dc=com" size=unlimited time=unlimited

#######################################################################
# ldbm and/or bdb database definitions

database        bdb
suffix          "dc=xxx,dc=mycompany,dc=com"
rootdn          "cn=manager,dc=xxx,dc=mycompany,dc=com"
# Use of strong authentication encouraged.
rootpw          {SSHA}711roDqrHM9WGYMCYeBCrNbVpfZYhwFO
#rootpw         secret

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index sambaSID                  eq
index sambaPrimaryGroupSID      eq