[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
restrict ldapsearch to manager
Hi,
I'm using Openldap: slapd 2.2.13 on fedora core 3 with start_tls, I've
created the server certificate and when i search the ldap server using
this command i get the reply i need:
ldapsearch -x -b "dc=xxx,dc=mycompany,dc=com" -H ldap://xxx.mycompany.com
and when i also use the command :
ldapsearch -x -b "dc=xxx,dc=mycompany,dc=com" -H
ldap://xxx.mycompany.com -ZZ
i also get the output of the entire tree same as before, but thats not
what i want, i dont want anyone to search my tree, and only those with
the correct certificate are allowed to do so, or if i can restrict the
search even more that would be better.
is there a way to do it?
thank you in advance.
p.s:
I currently have slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cert/cacert.pem
TLSCertificateFile /etc/openldap/cert/servercert.pem
TLSCertificateKeyFile /etc/openldap/cert/serverkey.pem
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# Sample access control policy:
access to *
by dn.exact="cn=reader,dc=xxx,dc=mycompany,dc=com" read stop
by * none break
access to attr=userPassword
by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write
by self write
by anonymous auth
by * none
access to *
by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write
by * read
# rootdn can always read and write EVERYTHING!
#limits dn.exact="cn=reader,dc=xxx,dc=mycompany,dc=com" size=unlimited
time=unlimited
#######################################################################
# ldbm and/or bdb database definitions
database bdb
suffix "dc=xxx,dc=mycompany,dc=com"
rootdn "cn=manager,dc=xxx,dc=mycompany,dc=com"
# Use of strong authentication encouraged.
rootpw {SSHA}711roDqrHM9WGYMCYeBCrNbVpfZYhwFO
#rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID eq
index sambaPrimaryGroupSID eq