LDAP Server Access controls.

Access controls are the OpenLDAP way of controlling who can read what. It seems simple enough, but much of the time i've spent "fixing" LDAP was tweaking access controls.

I have included a working set of acls below. These are a work in progress.

The first few acls are to allow anonymous access to the least amount of information needed by the pam_ldap and pam_nss modules.

# Protect userPasswords
access to attrs=userPassword
  by self write
  by * auth

# allow pam to read /etc/passwd information..
access to dn.subtree="ou=people,dc=nerdcircus,dc=org"   
attrs=entry,uid,uidNumber,gidNumber,ObjectClass,homeDirectory
  by * read

# But still allow the user to change his/her own shell and gecos
access to dn.subtree="ou=people,dc=crew,dc=ccs,dc=neu,dc=edu" 
attrs=gecos,loginShell
  by self write
  by * read

# Allow pam to read /etc/groups information from ldap.
# do *NOT* allow pam to list all members of a group.
access to dn.subtree="ou=groups,dc=crew,dc=ccs,dc=neu,dc=edu"   
attrs=uniqueMember
  by * compare

access to dn.subtree="ou=groups,dc=crew,dc=ccs,dc=neu,dc=edu" 
attrs=memberUid
  by * search

#allow anon read for group names and numbers.
access to dn.subtree="ou=groups,dc=crew,dc=ccs,dc=neu,dc=edu" 
attrs=entry,cn,gidNumber,objectClass
  by * read

# for passwd, allow users to update their own shadow info.
access to dn.subtree="ou=people,dc=nerdcircus,dc=org"
attrs=shadowLastChange
  by self write
  by * none

#allow users to modify portions of themselves. the public   portions.
access to dn.subtree="ou=people,dc=crew,dc=ccs,dc=neu,dc=edu" 
attrs=cn,sn,givenName,gecos,loginShell,audio,displayName, givenName,homePhone,initials,jpegPhoto,labeledURI,mobile,pager, photo,title,telephoneNumber,description
  by self write
  by users read
  by * none

#by default, allow no access.
access to *
  by * none

Unless otherwise noted, all content is copyright Marc Dougherty and is subject to a Creative Commons license.