20040713 openldap access controls - plembo/onemoretech GitHub Wiki

title: OpenLDAP Access Controls link: https://onemoretech.wordpress.com/2004/07/13/openldap-access-controls/ author: lembobro description: post_id: 770 created: 2004/07/13 14:33:00 created_gmt: 2004/07/13 14:33:00 comment_status: open post_name: openldap-access-controls status: publish post_type: post

OpenLDAP Access Controls

At work we don’t use OpenLDAP — yet. But that doesn’t keep me from continuing to experiment with what I consider the best LDAP directory software available today.

Perhaps one of the most daunting tasks of a neophyte OpenLDAP administrator is properly setting up access controls. Although acknowledged by all to be “powerful”, the regex style ACL syntax used by OpenLDAP are a real stumbling block to many. The primary rule to be observed is that once an attribute or dn has had rights to it defined, any subsequent attempt to define access will be ineffective. Failure to define the access of a particular category of user (users, self, anonymous) will result in a denial of access. I found that ordering my rules from specific to general according to logical groupings of dns or attributes to be the most effective strategy. These groupings usually relate to who should be able to see and write to particular attributes or dns. For example, the following control

    access to attr=uid,c,title
    by group/groupofuniquenames/uniquemember= `
    "cn=Administrators,dc=example,dc=com" write
        by users read
        by anonymous read

(line continuation character “” used here due to limitations in the formatting of this page, in real life you’d continue on the same lime from “by group” to “write)

will result in title only being writable by admins, and only being readable by authenticated users (write implies read, which also implies search). Users cannot write to the attribute. Everyone else (anonymous) will be unable to see it at all. Note the unintuitive syntax for defining a group’s rights — I have the author of this WLUG Wiki to thank for leading me to the correct string to use. Also note that in an actual access control the “by” line would not contain a line break.

Following is a default set of ACLs I recently implemented in production. Keep in mind that for formatting purposes I’ve put line breaks here. Lines beginning with “access to” or “by” should continue without breaking in an actual slapd.conf file.

    
    
    # Custom access controls - created 12/31/03 by P Lembo
    # Read access to root dse by all
    access to dn=""
        by * read
    # Access by all to schema
    access to dn.base="cn=subschema"
        by * read
    # Access to monitor by all
    access to dn.base="cn=monitor"
        by * read
    # Limited access to password
    access to attr=userpassword
        by group/groupofuniquenames/uniquemember=
        "cn=Administrators,dc=company,dc=com" write
        by self write
        by users auth
        by anonymous auth
    # Limited access to Posix account attributes
    access to attr=uidnumber,gidnumber,homedirectory, loginshell,gecos
        by group/groupofuniquenames/uniquemember=
        "cn=Administrators,dc=company,dc=com" write
        by self read
    # Limited access to Samba account attributes
    access to attr=lmpassword,ntpassword,pwdlastset,acctflags,logontime,logofftime,
    kickofftime,pwdcanchange,pwdmustchange,smbhome,homedrive,profilepath,
    userworkstations,primarygroupid,rid
         by group/groupofuniquenames/uniquemember=
        "cn=Administrators,dc=company,dc=com" write
        by self read
    # User access to organizational attributes
    access to attr=o,ou,c,description,uniquemember
        by group/groupofuniquenames/uniquemember=
        "cn=Administrators,dc=company,dc=com" write
        by users read
    # Access to public attributes by all
    access to attr=uid,c,title
        by group/groupofuniquenames/uniquemember=
        "cn=Administrators,dc=company,dc=com" write
        by users read
        by anonymous read
    # Self write access to public attributes
    access to attr=cn,displayname,sn,givenname,mail,telephonenumber,
    facsimiletelephonenumber
        by group/groupofuniquenames/uniquemember=
        "cn=Administrators,dc=company,dc=com" write
        by self write
        by users read
        by anonymous read
    # Self write and limited access to private attributes
    access to attr=homephone
        by group/groupofuniquenames/uniquemember=
        "cn=Administrators,dc=company,dc=com" write
        by self write
        by users read
    # Self write and read access to all other attributes
    access to *
        by group/groupofuniquenames/uniquemember=
        "cn=Administrators,dc=company,dc=com" write
        by self write
        by users read
        by anonymous read

Copyright 2004-2019 Phil Lembo