LDAP (slapd) creating users with access to specific trees

Question

I am setting up a CentOS server with Virtualmin and Postfix, and I am trying to use LDAP to store unix users, groups, Postfix aliases and virtual domains. I am following the instructions from Webmin's site.

I have created an LDAP domain and configured Postfix to fetch Aliases and Virtual Domains from LDAP, but in order to do so I had to configure postfix to authenticate with the master LDAP account, cn=Manager,dc=mydomain,dc=com. This seems like a terrible idea because that account has access to the Users and Groups, which postfix does not need access to.

How can I create a new LDAP account for Postfix which only has access to the LDAP trees Postfix needs?

Answer 1

You need to do two things:

1. Create an object in the LDAP directory that Postfix can bind to (connect to)
2. Write an ACL in OpenLDAP's configuration to allow this user to bind, and search the tree as you desire

To add a simple entry for Postfix, use either a graphical LDAP browser (such as Apache Directory Studio, or with the command line tool ldapadd. Add an object like this:

dn: cn=postfix,ou=Applications,dc=mydomain,dc=com
cn: postfix
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: {SSHA}n+aYhO/TOitWkyMp9v/fe5ndtOhY0/3U

This last line is a hash of the password you want to use, generated via the slappasswd utility:

$ slappasswd -s secret
{SSHA}n+aYhO/TOitWkyMp9v/fe5ndtOhY0/3U

Once this is done, add some ACLs to your slapd.conf that look something like this:

access to dn.sub="dc=mydomain,dc=com" attrs=userPassword
    by anonymous auth

access to dn.sub="ou=people,dc=mydomain,dc=com"
    by dn.exact="cn=postfix,ou=Applications,dc=mydomain,dc=com" read

See the OpenLDAP admin guide chapter on access control for more details on writing ACL and their interpretation. Watch out for the order they are in, it matters!

Answer 2

This part of "LDAP for Rocket Scientists" explains how to set up an ACL for parts of your LDAP server tree.