[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: read access control is required.

To: "MS Cheung" <cheung_ms@hotmail.com>
Subject: Re: read access control is required.
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 25 May 2006 12:30:46 +0200
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <BAY111-F6AC84DDA2F989EA626E5D9C980@phx.gbl>
References: <BAY111-F6AC84DDA2F989EA626E5D9C980@phx.gbl>

MS Cheung writes:
> We would like to set up an access control to allow the mail server has
> a read access to all the LDAP data; but the end users only have a read
> access to their own personal data.  Would someone please help to
> provide us an example of the ACL setup.

# Since users need to Bind (presumably with passwords), require
# TLS connections for that - reject Bind requests which sent
# passwords unprotected over the net.
# (You may need another security strength factor than 128, depending
# on your setup.)
security                simple_bind=128
TLSCertificateFile      ...
TLSCertificateKeyFile   ...
TLSCACertificateFile    ...

# Passwords can only be used for authenication, they can
# never be read (except by rootdn).
access to attrs=userPassword by * auth

# Not sure if your mail server authenticates as some user,
# or if you want to provide access to its IP address, or
# what -- you may wish to delete either the dn.exact part
# or the peername part.
access to * by dn.exact=cn=mailserver,dc=example,dc=com
               peername.ip=11.22.33.44
               read
            by self read
            by *    none

-- 
Hallvard

Follow-Ups:
- Re: read access control is required.
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- read access control is required.
  - From: "MS Cheung" <cheung_ms@hotmail.com>

Prev by Date: Re: OpenLDAP and MySQL
Next by Date: Re: read access control is required.
Index(es):
- Chronological
- Thread