Contents

Setting Up Access Control on the Directory Server



Access control is exactly what it sounds like: it is the way that the administrator limits (or controls) what kind of information a regular user can read or change (access). These access control rules are set through allow and deny permissions that you put on suffixes and branches in your directory tree. The following operations can be allowed or denied to different attributes and parts of your directory: When setting access control rules, there are two important points to remember:
You should plan who should have what kind of access before you begin setting access controls. Also, you should look at what programs will be integrated with your Directory Server and plan those access rights; for instance, if you are using your Directory Server as an address book for an email client like Thunderbird, you have to have access control permissions properly set, or your client program can't access the information. You can grant or deny access on groups and roles so that members of those groups and roles have access; when you plan your directory tree, you should also plan directory access.

An ACI (access control instruction) is made up of four parts:
You can also set rules on the time of day the directory is accessed, the IP address the directory is accessed by, and other, more advanced types of access control.

If you are using your Directory Server as a user directory for other applications, you have to have access control permissions properly set on your Directory Server, or your client program can't access the information. There are three methods to grant access for an application to the Directory Server. You can allow either anonymous access to the application or general access to a user of that application. Anonymous access means that the application doesn't have to authenticate to the server, meaning it doesn't offer a user name and password. General access means that the user has to offer his user name and password to get to the server, but that every user that can authenticate has the permission to do basic functions like read, compare, and search. The third option is to set up a shell user, like uid=Posix User, with sufficient access controls to read, search, even modify directory entires, and to supply that user DN and password to application configuration files. The kind of access you allow this user depends on the requirements of the applications you are using.


I. Anonymous Access

By default, one of the ACIs on the root suffix, dc=example,dc=com, allows anonymous read, search, and compare rights to the Directory Server. If you want to allow anonymous access throughout your directory, set an access control rule like this on your root suffix:

aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(read,search,compare) userdn="ldap:///anyone";)

The anyone in this ACI means that this allows anonymous access with the rights to read, search and compare all attributes in all entries in the directory. This ACI is at the top of the directory tree; access to attributes like salary, home address, or manager can be restricted further down to keep access control simple and local.


II. General Access

If you do not want to allow anyone to access your directory, then you can restrict access by changing this ACI or adding a new one on the branch you want restricted (such as ou=People). This ACI is in the dse.ldif configuration file, and you cannot change it from the Console. However, you can add a new ACI from the Console.

To change the anoymous ACI at the root suffix, do the following:
  1. Stop the server.

    cd /pathtoserver/slapd-serverName
    ./stop-slapd

  2. Open the directory where the dse.ldif file is:

    cd config

  3. Open the dse.ldif in a text editor.

  4. Find the anonymous access ACI.

    aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(read,search,compare) userdn="ldap:///anyone";)

  5. Change the anyone to all to require users to authenticate. If you want, you may also change the name to reflect that this is general access instead of anonymous.

    aci: (targetattr != "aci")(version 3.0; aci "rootdse general read access"; allow(read,search,compare) userdn="ldap:///all";)

  6. Restart the server.

    cd ../
    ./start-slapd
If you want to keep the anonymous access ACI at the root suffix and only want to restrict general access to an organizational unit like ou=People, then you can add the general access ACI from the Console.
  1. Open the Directory Server Console. In the Directory tab, highlight the branch you want to put the ACI on.

  2. Right-click on the branch point, and select "Set Access Permissions" from the menu. The "Manage Access Control for Entry" window will appear.

  3. Hit the "New" button to create a new ACI. The Edit ACI window will come up.

  4. Name your ACI in the ACI Name field.

  5. The first tab specifies the users this applies to. By default, it applies to everyone; to modify this, delete "All Users," and hit the "Add" button to add the users you select.

    Hit the "Edit manually" button. With all users allowed, the ACI bind rule is userdn="ldap:///anyone". Change this to general access by changing anyone to all.

    It is very difficult to write ACIs by hand. After you have made this change, check the syntax by hitting the "Check syntax" button, and then hit "Edit Visually" to return to the Edit ACI wizard.

  6. The second tab specifies the rights. For an email client, you should limit these rights to right, compare, and search to keep users from accidentally changing directory information when they change their contact information.

  7. The next right specifies the targets. You can limit the attributes this ACI applies to as well as which entries' attributes. For example, you can grant write, add, and delete permission to the salary attribute on a single entry or to every entry with the same manager. For use by outside applications, you should make this fairly broad, such as over the entire ou=People org unit.

  8. The next two tabs, Hosts and Times, limit access control by IP address and time of day, respectively. By default, access is allowed at any time and from any IP address.

III. Using VLV with Anonymous Access

Virtual list views (VLV) are a way of indexing entries only by certain attributes, like common name or DN. When the server does a search, it looks through this list of entry names, which is faster than searching through every entry, especially for large directories. See Creating a VLV Index.

The VLV index has to be created in the directory, but the access controls for the index already exist in the dse.ldif file. By default, the VLV ACI allows general access to entries that are in the VLV index. If you have a client that supports VLV searches, like Outlook, and you want to allow anonymous access to the directory through the client, you have to change this default ACI.
  1. Stop the server.

    cd /pathtoserver/slapd-serverName
    ./stop-slapd

  2. Open the directory where the dse.ldif file is:

    cd config

  3. Open the dse.ldif in a text editor.

  4. Find the VLV Request Control ACI. The default ACI looks like the following:

    dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
    objectClass: top
    objectClass: directoryServerFeature
    oid: 2.16.840.1.113730.3.4.9
    cn: VLV Request Control
    aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";)
    creatorsName: cn=server,cn=plugins,cn=config
    modifiersName: cn=server,cn=plugins,cn=config
    createTimestamp: 20050303120048Z
    modifyTimestamp: 20050303120048Z

  5. Change the all to anyone to allow anonymous access for a VLV search.

    dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
    objectClass: top
    objectClass: directoryServerFeature
    oid: 2.16.840.1.113730.3.4.9
    cn: VLV Request Control
    aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///anyone";)
    creatorsName: cn=server,cn=plugins,cn=config
    modifiersName: cn=server,cn=plugins,cn=config
    createTimestamp: 20050303120048Z
    modifyTimestamp: 20050303120048Z

  6. Restart the server.

    cd ../
    ./start-slapd


2003 Bozeman Pass Incorporated