2

I want to prevent users from accessing anything other than their own data.

I've tried implementing the following simple acl (ldif):

dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by self read by * none
olcAccess: {2}to * by self read by * none

When I apply this ldif, I am no longer to query (objectClass=posixAccount). If I change the last acl to to * by * read, the query returns all users.

What am I missing?

Improve this question

1 Answer 1

Reset to default
2

I found out that in order to access a record, one must have "search" privilege. I changed the ACL to:

dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by self read by * none
olcAccess: {2}to * by self read by * search

Using that I was able to query (objectClass=posixAccount) without showing other accounts.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.