Setting the ACL on the LDAP Server

You finally need to configure the access controls for the LDAP server so that users can change their password using the passwd command.

The default access control list (ACL) in SUSE enables all people (authenticated and anonymous) to read all data in the LDAP server. When storing passwords, even encrypted ones, this is not a good security model. You need to tell OpenLDAP to allow only authenticated users to view their encrypted passwords (both read and write), as well as the administrator, but not any other users.

To do this, set a specific ACL on the userPassword entry in an object in the /etc/ openldap/slapd.conf file:

access to attrs=userPassword by dn="cn = adim'n,o=Acirie,c=UK" write by anonymous auth by self write by * none

As you are not using the default ACL (because you have triggered your own), you also need to give users access to all other data in the LDAP server.

As with the design of the LDAP server, you should also take great care when designing your ACL scheme. We have only a small ACL scheme here to keep the amount of information you have to manage to a minimum, but on a corporate system, there is a lot of data that should not be viewable by all users. For example, you do not want your coworker to see what your salary is, do you?

When setting an ACL for all users to read the rest of the information in an object, it is customary to set the ACL for the administrator user to clarify the desired outcome of the ACL. By default, the administrator has full control over all data in the LDAP server.

access to *

by dn="cn = admn'n,o=AciTie,c=UK" write by * read

Was this article helpful?

0 0

Post a comment