20040713 openldap access controls - plembo/onemoretech GitHub Wiki

title: OpenLDAP Access Controls link: https://onemoretech.wordpress.com/2004/07/13/openldap-access-controls/ author: lembobro description: post_id: 770 created: 2004/07/13 14:33:00 created_gmt: 2004/07/13 14:33:00 comment_status: open post_name: openldap-access-controls status: publish post_type: post

OpenLDAP Access Controls

At work we don’t use OpenLDAP — yet. But that doesn’t keep me from continuing to experiment with what I consider the best LDAP directory software available today.

Perhaps one of the most daunting tasks of a neophyte OpenLDAP administrator is properly setting up access controls. Although acknowledged by all to be “powerful”, the regex style ACL syntax used by OpenLDAP are a real stumbling block to many. The primary rule to be observed is that once an attribute or dn has had rights to it defined, any subsequent attempt to define access will be ineffective. Failure to define the access of a particular category of user (users, self, anonymous) will result in a denial of access. I found that ordering my rules from specific to general according to logical groupings of dns or attributes to be the most effective strategy. These groupings usually relate to who should be able to see and write to particular attributes or dns. For example, the following control

`

access to attr=uid,c,title
by group/groupofuniquenames/uniquemember=
    "cn=Administrators,dc=example,dc=com" write
    by users read
    by anonymous read

`

(line continuation character “” used here due to limitations in the formatting of this page, in real life you’d continue on the same lime from “by group” to “write)

will result in title only being writable by admins, and only being readable by authenticated users (write implies read, which also implies search). Users cannot write to the attribute. Everyone else (anonymous) will be unable to see it at all. Note the unintuitive syntax for defining a group’s rights — I have the author of this WLUG Wiki to thank for leading me to the correct string to use. Also note that in an actual access control the “by” line would not contain a line break.

Following is a default set of ACLs I recently implemented in production. Keep in mind that for formatting purposes I’ve put line breaks here. Lines beginning with “access to” or “by” should continue without breaking in an actual slapd.conf file.

`

# Custom access controls - created 12/31/03 by P Lembo
# Read access to root dse by all
access to dn=""
    by * read
# Access by all to schema
access to dn.base="cn=subschema"
    by * read
# Access to monitor by all
access to dn.base="cn=monitor"
    by * read
# Limited access to password
access to attr=userpassword
    by group/groupofuniquenames/uniquemember=
    "cn=Administrators,dc=company,dc=com" write
    by self write
    by users auth
    by anonymous auth
# Limited access to Posix account attributes
access to attr=uidnumber,gidnumber,homedirectory, loginshell,gecos
    by group/groupofuniquenames/uniquemember=
    "cn=Administrators,dc=company,dc=com" write
    by self read
# Limited access to Samba account attributes
access to attr=lmpassword,ntpassword,pwdlastset,acctflags,logontime,logofftime,
kickofftime,pwdcanchange,pwdmustchange,smbhome,homedrive,profilepath,
userworkstations,primarygroupid,rid
     by group/groupofuniquenames/uniquemember=
    "cn=Administrators,dc=company,dc=com" write
    by self read
# User access to organizational attributes
access to attr=o,ou,c,description,uniquemember
    by group/groupofuniquenames/uniquemember=
    "cn=Administrators,dc=company,dc=com" write
    by users read
# Access to public attributes by all
access to attr=uid,c,title
    by group/groupofuniquenames/uniquemember=
    "cn=Administrators,dc=company,dc=com" write
    by users read
    by anonymous read
# Self write access to public attributes
access to attr=cn,displayname,sn,givenname,mail,telephonenumber,
facsimiletelephonenumber
    by group/groupofuniquenames/uniquemember=
    "cn=Administrators,dc=company,dc=com" write
    by self write
    by users read
    by anonymous read
# Self write and limited access to private attributes
access to attr=homephone
    by group/groupofuniquenames/uniquemember=
    "cn=Administrators,dc=company,dc=com" write
    by self write
    by users read
# Self write and read access to all other attributes
access to *
    by group/groupofuniquenames/uniquemember=
    "cn=Administrators,dc=company,dc=com" write
    by self write
    by users read
    by anonymous read

`

Copyright 2004-2019 Phil Lembo