LDAP ACL to restrict user to only reading their own user attrs

Multi tool use
Multi tool use

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
1












I want to prevent users from accessing anything other than their own data.



I've tried implementing the following simple acl (ldif):



dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * none


When I apply this ldif, I am no longer to query (objectClass=posixAccount). If I change the last acl to to * by * read, the query returns all users.



What am I missing?






ldap openldap







share|improve this question

























    up vote
    0
    down vote

    favorite
    1












    I want to prevent users from accessing anything other than their own data.



    I've tried implementing the following simple acl (ldif):



    dn: olcDatabase=1mdb,cn=config
    olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
    olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
    olcAccess: 2to * by self read by * none


    When I apply this ldif, I am no longer to query (objectClass=posixAccount). If I change the last acl to to * by * read, the query returns all users.



    What am I missing?






    ldap openldap







    share|improve this question























      up vote
      0
      down vote

      favorite
      1









      up vote
      0
      down vote

      favorite
      1






      1





      I want to prevent users from accessing anything other than their own data.



      I've tried implementing the following simple acl (ldif):



      dn: olcDatabase=1mdb,cn=config
      olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
      olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
      olcAccess: 2to * by self read by * none


      When I apply this ldif, I am no longer to query (objectClass=posixAccount). If I change the last acl to to * by * read, the query returns all users.



      What am I missing?






      ldap openldap







      share|improve this question













      I want to prevent users from accessing anything other than their own data.



      I've tried implementing the following simple acl (ldif):



      dn: olcDatabase=1mdb,cn=config
      olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
      olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
      olcAccess: 2to * by self read by * none


      When I apply this ldif, I am no longer to query (objectClass=posixAccount). If I change the last acl to to * by * read, the query returns all users.



      What am I missing?






      ldap openldap




      ldap openldap






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Aug 28 at 21:09









      Ben Davis

      989713




      989713




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:



          dn: olcDatabase=1mdb,cn=config
          olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
          olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
          olcAccess: 2to * by self read by * search


          Using that I was able to query (objectClass=posixAccount) without showing other accounts.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465384%2fldap-acl-to-restrict-user-to-only-reading-their-own-user-attrs%23new-answer', 'question_page');

            );

            Post as a guest

















            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:



            dn: olcDatabase=1mdb,cn=config
            olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
            olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
            olcAccess: 2to * by self read by * search


            Using that I was able to query (objectClass=posixAccount) without showing other accounts.






            share|improve this answer
























              up vote
              0
              down vote













              I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:



              dn: olcDatabase=1mdb,cn=config
              olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
              olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
              olcAccess: 2to * by self read by * search


              Using that I was able to query (objectClass=posixAccount) without showing other accounts.






              share|improve this answer






















                up vote
                0
                down vote










                up vote
                0
                down vote









                I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:



                dn: olcDatabase=1mdb,cn=config
                olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
                olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
                olcAccess: 2to * by self read by * search


                Using that I was able to query (objectClass=posixAccount) without showing other accounts.






                share|improve this answer












                I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:



                dn: olcDatabase=1mdb,cn=config
                olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
                olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
                olcAccess: 2to * by self read by * search


                Using that I was able to query (objectClass=posixAccount) without showing other accounts.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Aug 29 at 3:55









                Ben Davis

                989713




                989713



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465384%2fldap-acl-to-restrict-user-to-only-reading-their-own-user-attrs%23new-answer', 'question_page');

                    );

                    Post as a guest
































































                    ji 5eGqHhd9dxV1BjmEc,uF,s91vOe,5vC,B3BuPB034 6Ni,odnSgm9,zOEU3X,qzkAF7YRdJ HBm9h,2SRVLyu6j uRKzLJ3
                    -
                    njf70Rmaifa s,dJxy

                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this questi...
                    Read more

                    How many registers does an x86_64 CPU actually have?

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite I am currently learning reverse engineering and am studying the flags register. I had in my mind that rflags was just another name for one of the 16 general purpose registers, for example rax or rbx . But it looks like rflags is actually an additional register. So that makes 17 registers in total... how many more could there be? I have spent at least an hour on this and found numerous different answers. The best answer so far is this, which says that there are 40 registers in total. 16 General Purpose Registers 2 Status Registers 6 Code Segment Registers 16 SSE Registers 8 FPU/MMX Registers But if I add that up, I get 48. Could anybody provide an official answer on how many registers an x86_64 CPU has (e.g. an Intel i7). Additionally, I have seen references to 'hardware' and 'architectural' registers. What are those registers and how many are there? register x86-64 share | improve this...
                    Read more

                    Displaying single band from multi-band raster using QGIS

                    Image
                    Clash Royale CLAN TAG #URR8PPP 1 How can I extract a single band from multi-band raster in QGIS? I have an remote sensed image which has 6 bands (including NDVI band), I want to display each band separately, but have no idea how to do. I have seen some questions similar here but none worked for me. The original image (has 6 bands) is: I want to display the band 6 which should be like this: But I tried gdal_translate, and couldn't get the correct result. What I have got is: qgis raster multi-band share | improve this question edited Mar 5 at 0:53 Summer asked Mar 4 at 6:42 Summer Summer 23 6 Is this any help gis.stackexchange.com/questions/220658/… ? if not gis.stackexchange.com/questions/62133/… might help. – Michael Stimson Mar 4 at 6:46 Thanks for answering but when I used gdal_translate, qgis showed that 'Error 4: Kayena.tif: No such file or directory". Would you know how to fi...
                    Read more