--On Sunday, January 24, 2021 10:05 PM +0200 "Harri T." <[email protected]>
wrote:
Hi,
Could someone please give an example of .ldif for granting *read-only*
access on all the directory to the user "cn=query,dc=example,dc=com"?
I don't know what you mean by "an example of .ldif".
If it were slapd.conf, it would be something like:
database mdb
suffix dc=example,dc=com
access to *
by dn.exact="cn=query,dc=example,dc=com"
If it were a cn=config database, something like:
ldapmodify ...
dn: olcDatabase={X}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to * by dn.exact="cn=query,dc=example,dc=com"
You'd need to modify "X" to be the actual database containing the data you
want it to have read access on. Additionally, since this does an insert to
be access rule 0, no other access rules that may be in the database would
be validated.
In both cases, this ACL would most likely not be useful since it would
block simple (userPassword) authentication, meaning it would be impossible
to authenticate to being the "cn=query,dc=example,dc=com" user since there
is no anonymous auth access to userPassword.
A more useful set of ACLs might be something like:
-- slapd.conf --
access to userPassword
by anonymous auth
by self write
by dn.exact="cn=query,dc=example,dc=com" read
access to *
by dn.exact="cn=query,dc=example,dc=com" read
-- cn=config --
olcAccess: {0}to userPassword by anonymous auth by self write by
dn.exact="cn=query,dc=example,dc=com" read
olcAccess: {1}to * by dn.exact="cn=query,dc=example,dc=com" read
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
