[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can domain admins be filtered out with ACLs?



Hi,

For those, for mind find this thread through google and like me
overwhelmed with information won't understand the documentation.
The RootDN cannot be restricted from having privileges under OpenLDAP
2.4. Hence, ACLs won't do anything for RootDN. This is documented.

Someone, elsewhere pointed this out for me.

Sincerely,

Igor Shmukler

On Wed, Apr 15, 2015 at 5:41 PM, Igor Shmukler <igor.shmukler@gmail.com> wrote:
> Hello,
>
> I tried to filter out everyone except cn=config when my ACL filter
> rule is true (a NAME type attribute matches a value), so that password
> authentication for filtered-out users would fail.
> It works for regular users, and does not for admins. Is this because
> my ACL rules are wrong, or is this a feature of OpenLDAP? Why no
> matter what I do
>
> My LDIF is below:
>
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to attrs=userPassword,shadowLastChange
>   filter=(serviceLevel=suspended)
>   by dn="cn=config" write
>   by * none
> olcAccess: {1}to attrs=userPassword,shadowLastChange
>   filter=(!(serviceLevel=suspended))
>   by self write
>   by anonymous auth
>   by dn="cn=admin,dc=directory,dc=com" write
>   by dn="cn=config" write
>   by * none
> olcAccess: {2}to dn.base="" by * read
> olcAccess: {3}to *
>   filter=(serviceLevel=suspended)
>   by dn="cn=config" write
>   by * none
> olcAccess: {4}to *
>   filter=(!(serviceLevel=suspended))
>   by self write
>   by dn="cn=admin,dc=directory,dc=com" write
>   by dn="cn=config" write
>   by * read
>
> Is there something special about LDAP administrator, by design?
>
> Thank you,
>
> Igor Shmukler