openldap-software May 2010 archive
Main Archive Page > Month Archives  > openldap-software archives
openldap-software: OpenLDAP 2.3 Access Lists

OpenLDAP 2.3 Access Lists

From: Dan Burkland <dburklan_at_nospam>
Date: Fri May 14 2010 - 17:43:13 GMT
To: "openldap-software@openldap.org" <openldap-software@openldap.org>

Hello all,

I have been trying as of late to secure my OpenLDAP directory and I have seem to run into a wall. I am trying to restrict access to certain attributes for my user entries located in ou=people,dc=example,dc=com so that only my binddn can access them. Here is a list of my current ACLs:

access to dn="cn=binddn,ou=system,ou=services,dc=example,dc=com
        attrs=userPassword
        by * auth

access to dn.regex="uid=.*,ou=people,dc=example,dc=com" attrs=uid,uidNumber,loginShell
        by dn="cn=binddn,ou=system,ou=services,dc=example,dc=com" read
        by * none

It seems I can get the rule to match without the "attrs" argument however as soon as I add that to the ACL entry I get denied access to the previously listed attributes for users in ou=people. If it helps any I am using the OpenLDAP-servers 2.3.43 CentOS RPM.

Thanks again,

Dan