LDAP ACL to restrict user to only reading their own user attrs
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I want to prevent users from accessing anything other than their own data.
I've tried implementing the following simple acl (ldif):
dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * none
When I apply this ldif, I am no longer to query (objectClass=posixAccount)
. If I change the last acl to to * by * read
, the query returns all users.
What am I missing?
ldap openldap
add a comment |Â
up vote
0
down vote
favorite
I want to prevent users from accessing anything other than their own data.
I've tried implementing the following simple acl (ldif):
dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * none
When I apply this ldif, I am no longer to query (objectClass=posixAccount)
. If I change the last acl to to * by * read
, the query returns all users.
What am I missing?
ldap openldap
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I want to prevent users from accessing anything other than their own data.
I've tried implementing the following simple acl (ldif):
dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * none
When I apply this ldif, I am no longer to query (objectClass=posixAccount)
. If I change the last acl to to * by * read
, the query returns all users.
What am I missing?
ldap openldap
I want to prevent users from accessing anything other than their own data.
I've tried implementing the following simple acl (ldif):
dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * none
When I apply this ldif, I am no longer to query (objectClass=posixAccount)
. If I change the last acl to to * by * read
, the query returns all users.
What am I missing?
ldap openldap
ldap openldap
asked Aug 28 at 21:09
Ben Davis
989713
989713
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:
dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * search
Using that I was able to query (objectClass=posixAccount)
without showing other accounts.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:
dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * search
Using that I was able to query (objectClass=posixAccount)
without showing other accounts.
add a comment |Â
up vote
0
down vote
I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:
dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * search
Using that I was able to query (objectClass=posixAccount)
without showing other accounts.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:
dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * search
Using that I was able to query (objectClass=posixAccount)
without showing other accounts.
I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:
dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * search
Using that I was able to query (objectClass=posixAccount)
without showing other accounts.
answered Aug 29 at 3:55
Ben Davis
989713
989713
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465384%2fldap-acl-to-restrict-user-to-only-reading-their-own-user-attrs%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password