LDAP ACL to restrict user to only reading their own user attrs

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
1












I want to prevent users from accessing anything other than their own data.



I've tried implementing the following simple acl (ldif):



dn: olcDatabase=1mdb,cn=config
olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
olcAccess: 2to * by self read by * none


When I apply this ldif, I am no longer to query (objectClass=posixAccount). If I change the last acl to to * by * read, the query returns all users.



What am I missing?










share|improve this question

























    up vote
    0
    down vote

    favorite
    1












    I want to prevent users from accessing anything other than their own data.



    I've tried implementing the following simple acl (ldif):



    dn: olcDatabase=1mdb,cn=config
    olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
    olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
    olcAccess: 2to * by self read by * none


    When I apply this ldif, I am no longer to query (objectClass=posixAccount). If I change the last acl to to * by * read, the query returns all users.



    What am I missing?










    share|improve this question























      up vote
      0
      down vote

      favorite
      1









      up vote
      0
      down vote

      favorite
      1






      1





      I want to prevent users from accessing anything other than their own data.



      I've tried implementing the following simple acl (ldif):



      dn: olcDatabase=1mdb,cn=config
      olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
      olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
      olcAccess: 2to * by self read by * none


      When I apply this ldif, I am no longer to query (objectClass=posixAccount). If I change the last acl to to * by * read, the query returns all users.



      What am I missing?










      share|improve this question













      I want to prevent users from accessing anything other than their own data.



      I've tried implementing the following simple acl (ldif):



      dn: olcDatabase=1mdb,cn=config
      olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
      olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
      olcAccess: 2to * by self read by * none


      When I apply this ldif, I am no longer to query (objectClass=posixAccount). If I change the last acl to to * by * read, the query returns all users.



      What am I missing?







      ldap openldap






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Aug 28 at 21:09









      Ben Davis

      989713




      989713




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:



          dn: olcDatabase=1mdb,cn=config
          olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
          olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
          olcAccess: 2to * by self read by * search


          Using that I was able to query (objectClass=posixAccount) without showing other accounts.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465384%2fldap-acl-to-restrict-user-to-only-reading-their-own-user-attrs%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:



            dn: olcDatabase=1mdb,cn=config
            olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
            olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
            olcAccess: 2to * by self read by * search


            Using that I was able to query (objectClass=posixAccount) without showing other accounts.






            share|improve this answer
























              up vote
              0
              down vote













              I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:



              dn: olcDatabase=1mdb,cn=config
              olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
              olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
              olcAccess: 2to * by self read by * search


              Using that I was able to query (objectClass=posixAccount) without showing other accounts.






              share|improve this answer






















                up vote
                0
                down vote










                up vote
                0
                down vote









                I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:



                dn: olcDatabase=1mdb,cn=config
                olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
                olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
                olcAccess: 2to * by self read by * search


                Using that I was able to query (objectClass=posixAccount) without showing other accounts.






                share|improve this answer












                I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:



                dn: olcDatabase=1mdb,cn=config
                olcAccess: 0to attrs=userPassword by self write by anonymous auth by * none
                olcAccess: 1to attrs=shadowLastChange by self write by self read by * none
                olcAccess: 2to * by self read by * search


                Using that I was able to query (objectClass=posixAccount) without showing other accounts.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Aug 29 at 3:55









                Ben Davis

                989713




                989713



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465384%2fldap-acl-to-restrict-user-to-only-reading-their-own-user-attrs%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?