OpenLdap configuration - olcAccess

Fréderic CLEMENT's picture


I am new to openldap but I succeeded in configuring a ldap server on a squeeze machine.

I have access to it through phpldapadmin and I could create some items.

The thing I don't understand is how to configure a user that has access only to a part of the tree, I tried following :

dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=viadialog
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=viadialog" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=viadialog" write by * read

olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,o=societe1,dc=viadialog" write by * read
olcAccess: {4}to * by self write by dn="cn=admin,o=societe1,dc=viadialog" write by * read

olcLastMod: TRUE
olcRootDN: cn=admin,dc=viadialog
olcRootPW:: e1NTSEF9MzBteU84M1hodnlNNGJmRFJoRnZrN0p2V3JXNUJDMDk=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
structuralObjectClass: olcHdbConfig
entryUUID: 83f36100-8227-1032-9b72-63414239a993
creatorsName: cn=admin,cn=config
createTimestamp: 20130716055133Z
entryCSN: 20130716055133.963353Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20130716055133Z

the main admin account is working well (cn=admin,dc=viadialog). But I would like the second user to have access only to the subtree (cn=admin,o=societe1,dc=viadialog) but this admin keeps seing all the tree and only in a readonly mode.

Could kindly somone give me a tips ?

I join a screen copy of my phpldapadmin.




Jeremy Davis's picture

And none regarding OpenLDAP. I suggest you see what the OpenLDAP commnity have by way of support. Hopefully they have a forum or mailing list and someone there can give you some relevant expert advice...

Please feel free to post back if you find anything of interest. Or if it seems to be some issue specifically with TKL's implementation of OpenLDAP then we can at least lodge a bug, if not try to find the issue...

Fréderic CLEMENT's picture

Thanks for your reply.

The problem is that the config files of openldap have completly changed and the documentation hasn't been provided yet.



Post new comment