LDAP Server Access controls.Access controls are the OpenLDAP way of controlling who can read what. It seems simple enough, but much of the time i've spent "fixing" LDAP was tweaking access controls. I have included a working set of acls below. These are a work in progress. The first few acls are to allow anonymous access to the least amount of information needed by the pam_ldap and pam_nss modules. # Protect userPasswords access to attrs=userPassword by self write by * auth # allow pam to read /etc/passwd information.. access to dn.subtree="ou=people,dc=nerdcircus,dc=org" attrs=entry,uid,uidNumber,gidNumber,ObjectClass,homeDirectory by * read # But still allow the user to change his/her own shell and gecos access to dn.subtree="ou=people,dc=crew,dc=ccs,dc=neu,dc=edu" attrs=gecos,loginShell by self write by * read # Allow pam to read /etc/groups information from ldap. # do *NOT* allow pam to list all members of a group. access to dn.subtree="ou=groups,dc=crew,dc=ccs,dc=neu,dc=edu" attrs=uniqueMember by * compare access to dn.subtree="ou=groups,dc=crew,dc=ccs,dc=neu,dc=edu" attrs=memberUid by * search #allow anon read for group names and numbers. access to dn.subtree="ou=groups,dc=crew,dc=ccs,dc=neu,dc=edu" attrs=entry,cn,gidNumber,objectClass by * read # for passwd, allow users to update their own shadow info. access to dn.subtree="ou=people,dc=nerdcircus,dc=org" attrs=shadowLastChange by self write by * none #allow users to modify portions of themselves. the public portions. access to dn.subtree="ou=people,dc=crew,dc=ccs,dc=neu,dc=edu" attrs=cn,sn,givenName,gecos,loginShell,audio,displayName, givenName,homePhone,initials,jpegPhoto,labeledURI,mobile,pager, photo,title,telephoneNumber,description by self write by users read by * none #by default, allow no access. access to * by * none |