0

I am new to OpenLDAP. I would like to know the method to restrict some user from searching part of the LDAP database.

For example, I have ldap root dn <dc=abc,dc=com>

There are other groups like below:

ou=department1,dc=abc,dc=com
ou=department2,dc=abc,dc=com
ou=people,dc=abc,dc=com
cn=userA,ou=people,dc=abc,dc=com
cn=userB,ou=people,dc=abc,dc=com

I would like to allow userA to only able to search data from dn:

ou=department1,dc=abc,dc=com

But restrict it from searching from dn: ou=department2,dc=abc,dc=com

How could I implement that?

Ulrich Schwarz
  • 7,598
  • 1
  • 36
  • 48
smoking gun
  • 73
  • 1
  • 7
  • This can be done via the 'access' command in slapd.conf, which you need to look up. Too broad to answer here. – user207421 Jan 24 '16 at 18:34

2 Answers2

0

You can explicitly set permissions and blocks in the slapd.conf file --- the base install has a few samples

user353829
  • 1,244
  • 5
  • 25
  • 38
0

You have to configure ACLs in the slapd.conf file. Here are two examples ACLs that you could use for your case. But remember to add whatever other permissions for other users to "ou=department1,dc=abc,dc=com" and "ou=department2,dc=abc,dc=com". 

access to dn="ou=department1,dc=abc,dc=com"
      by dn="cn=userA,ou=people,dc=abc,dc=com" read
      by * none

access to dn="ou=department2,dc=abc,dc=com"
      by dn="cn=userA,ou=people,dc=abc,dc=com" none
      by * none

For more information, read the documentation about OpenLdap access control: http://www.openldap.org/doc/admin24/access-control.html

Lucas Araujo
  • 1,648
  • 16
  • 25