Thursday, 23 December 2010

LDAP access lists

Sometimes it is necessary to restrict some operations on LDAP server.
The solution is LDAP access control lists (ACL)

Important: The default access control policy is allow read by all clients. Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.
As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the clauses.

Example of ACL:

##################################
#Access lists
##################################
# Access list for userPassword LDAP field
access to attrs=userPassword
# Allow read access to LDAP user cn=ro,ou=sys,dc=example,dc=com
by dn="cn=ro,ou=sys,dc=example,dc=com" read
# Allow users to change only their passwords
by self write
# Allow user anonymous use the field during authorization
by anonymous auth
# Otherwise no access
by * none

# Access list for root of the LDAP tree
access to dn.regex="cn=.*,ou=users,dc=example,dc=com"
# Allow read access to dovecot user
by dn="cn=dovecot,ou=sys,dc=example,dc=com" read
# Same as before
anonymous auth
by self write
by * none

#Access list for special LDAP OU ou=sys,dc=example,dc=com
access to dn.regex="cn=.*,ou=sys,dc=example,dc=com"
by dn="cn=dovecot,ou=sys,dc=example,dc=com" read
anonymous auth
by self write
by * none

# Access to OU groups
access to dn.regex="cn=.*,ou=groups,dc=example,dc=com"
by dn="cn=dovecot,ou=sys,dc=example,dc=com" read
anonymous auth
by self write
by * none

access to *
by self write
by * read

Note: LDAP user root always have access to all LDAP records.
see the following line from slapd.conf:

rootdn "cn=root,dc=example,dc=com"
rootpw secret

Additional reading:

Access Control

No comments: