Openldap restrict inter database access

Question

I have created 2 below databases in OpenLDAP.

database    bdb
suffix      "dc=testdomain1,dc=com"
rootdn      "cn=Manager,dc=testdomain1,dc=com"
rootpw      secret
directory   /usr/local/var/openldap-testdomain1


database    bdb
suffix      "dc=testdomain1,dc=com"
rootdn      "cn=Manager,dc=testdomain2,dc=com"
rootpw      secret
directory   /usr/local/var/openldap-testdomain2

But I can access both databases with Bind Account credentials(cn=Manager,dc=testdomain1,dc=com) from domain 1. Can anyone suggest me a solution to restrict access to users from same domain only.

Thanks.

score 0 · Answer 1 · answered Mar 10 '16 at 06:07

I found solution in openldap documentation. http://www.openldap.org/doc/admin24/access-control.html

I added below lines in my slapd.conf file

access to dn.subtree="dc=testdomain1,dc=com"
    by self write
    by dn.children="dc=testdomain1,dc=com" search
    by anonymous auth

access to dn.subtree="dc=testdomain2,dc=com"
    by self write
    by dn.children="dc=testdomain2,dc=com" search
    by anonymous auth

user207421 · Answer 2 · 2016-03-10T08:22:14.110

0

You should not use the Manager account for anything. Anything. Period. It is for OpenLDAP itself, and it bypasses a whole lot of processing you don't want to bypass, such as the password-policy overlay.

You should define your own administrative accounts, and accounts for the applications and users that are going to login to it, and give them access control as per man slapd.conf.

edited Mar 10 '16 at 08:22

answered Mar 10 '16 at 06:58

user207421

305,947
44
307
483

Openldap restrict inter database access

2 Answers2