Penguin
Note: You are viewing an old revision of this page. View the current version.

Open Ldap has very flexible and powerful access controls, however they aren't well documented. Sure there is lots of documentation about them, but none of the documentation says anything useful. The most useful part of the documentation I found was the BNF, but as most people soon realise a BNF tells you how, but leaves you n.f.i what is going to happen with a particular grammer.

Anyhow, I'm going to try and explain the access controls I use (which I think covers most of the more advanced features).

Some points to note before we start (for good luck):

  1. Order of access's matters. openldap will stop looking on the first one that matches
  2. Order of by's matters. openldap will stop looking on the first one that matches
So this is the config I use

access to attribute=userPassword

by group/groupofuniquenames/uniquemember="ou=AdminUsers?,ou=Accounts,$BASEDN" write by dnattr=owner write by anonymous auth by self write by * none

access to dn=".*,ou=Domains,$BASEDN"

by group/groupofuniquenames/uniquemember="ou=AdminUsers?,ou=Accounts,$BASEDN" write by dnattr=owner write by * read

access to *

by group/groupOfUniqueNames/uniqueMember="ou=AdminUsers?,ou=Accounts,ou=WAND,o=Waikato University,c=NZ" write by * read

Now, lets go over it step by step.