Table of Contents
Advertisement
server is able to run with an empty database. If the database has been cor-
rupted, the database files in /var/lib/ldap/ must be removed before restor-
ing the online backup. To restore a backup file taken with ldapsearch, run
the command
ldapadd -D <adminDN> -x -w <adminPassword>
-h <LDAPServer> -x -f <backupfile>
14.2 Access Control
Access to the LDAP directory should be restricted to follow the security guide-
lines and policies in place. By default, all entries in the LDAP directory can
be read by everyone, even without a user name and password. The examples
in this manual use the administrator user DN for all activities regarding the
LDAP directory.
To restrict access to the directory, access control lists (ACLs) can be imple-
mented in the LDAP server configuration file on the administration server.
The configuration file is /etc/openldap/slapd.conf. Read the manual pages
slapd.conf(5) and slapd.access(5) for details.
14.2.1 Access Control Example
To restrict access to a specific location, use the following ACLs (this assumes
that the standard schema of cn=<location>,ou=<orgUnit>,o=mycorp,c=de
is used, like in the examples):
access to dn.base="" by * read
access to * attrs=userPassword
by anonymous auth
by self write
access to dn.regex="^.*(cn=.*,ou=.*,o=mycorp,c=de)$"
by dn.regex="^.*,$1$" write
by anonymous auth
by users read
access to *
by anonymous auth
by users read
by self write
For each location, create a location user, for example
posAdmin.pl --user cn=admin,o=mycorp,c=de --password secret \
--base cn=habor,ou=berlin,o=suse,c=de --add --scPosUser \
--cn HaborBerlinUser --userPassword "secretPassword"
14.2 Access Control
139
Advertisement
Chapters
Table of Contents
