Access control list for LDAP OU (Organisational Unit) in OpenLDAP

JackOfAllTradesCoder

12/13/22, 9:14 AM

I am new to LDAP (currently using OpenLDAP 2.4) and I am struggling to define a ACL entry using slapd that will manage the various Access Levels for entries that are child entries of an OU.

The structure is as follows:

cn=user1,ou=users,dc=somedomain,dc=com
cn=user2,ou=users,dc=somedomain,dc=com

This is what I currently have, but when implemented, the children of the OU "users" don't have the access level as required:

access to dn.subtree="ou=users,dc=somedomain,dc=com" 
by dn.subtree="ou=users,dc=somedomain,dc=com" read
by * none

I would like to have all the children of the OU to only be able to read the contents of the OU and it's children.

Is this possibly using dn.subtree, or can this only be achieved using filters?

Any help would be greatly appreciated.

Kind regards

0 + 0

openldap

ldap

access-control-list

slapd

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Access control list for LDAP OU (Organisational Unit) in OpenLDAP

TH: รายการควบคุมการเข้าถึงสำหรับ LDAP OU (หน่วยขององค์กร) ใน OpenLDAP

RO: Lista de control al accesului pentru LDAP OU (Unitate organizațională) în OpenLDAP

RU: Список контроля доступа для LDAP OU (организационной единицы) в OpenLDAP

VI: Danh sách kiểm soát truy cập cho LDAP OU (Đơn vị tổ chức) trong OpenLDAP

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.