openldap access controls ng - plembo/onemoretech GitHub Wiki

#OpenLDAP Access Controls: The Next Generation

October 25, 2016

Went down a rabbit hole yesterday trying to get the Fedora Project's OpenLDAP 2.4 server package up and running on one of my Fedora 24 machines. Finally got it going, but was really disappointed at how much harder its configuration is with the new OLC (On-Line Configuration) interface. The actual configuration wasn't difficult, the hard part was wading through pages of badly written and incomplete documentation from both Red Hat and the OpenLDAP project.

I'm not going to correct that here. Don't have the time right now. Maybe at a later date. For now what I have are some access controls that I wrote for my test server, correctly (I hope) using the latest syntax:

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to dn="" by * read
olcAccess: {1}to attrs=userpassword by group.exact="cn=Administrators,dc=exa
 mple,dc=com" write by self write by users auth by anonymous auth
olcAccess: {2}to attrs=uidnumber,gidnumber,homedirectory,loginshell,gecos by
  group.exact="cn=Administrators,dc=example,dc=com" write by self read
olcAccess: {3}to attrs=o,ou,c,description,uniquemember by group.exact="cn=Ad
 ministrators,dc=example,dc=com" write by users read
olcAccess: {4}to attrs=uid,c,title by group.exact="cn=Administrators,dc=exam
 ple,dc=com" write by users read by anonymous read
olcAccess: {5}to attrs=cn,displayname,sn,givenname,mail,telephonenumber,facs
 imiletelephonenumber by group.exact="cn=Administrators,dc=example,dc=com" w
 rite by self write by users read by anonymous read
olcAccess: {6}to attrs=homephone by group.exact="cn=Administrators,dc=exampl
 e,dc=com" write by self write by users read
olcAccess: {7}to * by group.exact="cn=Administrators,dc=example,dc=com" writ
 e by self write by users read by anonymous read

For anyone who thinks this stuff is easy: guess again. The above code was exported from my directory after I loaded it, line-by-line because my original text was full of junk.