simpleSecurityObject)(objectClass=posixAccount))
> > by self read
> > by * none
>
>
> >Just add this rule before the global rule "access to *"
>
>
> >>ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -b
> >>"ou=People,dc=abc,dc=com" "uid=ldap_7"
>
> >And if you search like this with bind "admin dn", you will see every
> >object....
> >You have to bind with user ldap_6 and not with root
> But anyway client user knows the admin dn and rootbindpassword. So,
> with this he will look into all directory information to which he is
> not supposed to do.
> e.g. ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster
>
> So, how to avoid this?
>
>Why client user knows the admin dn and pw????????
Because /etc/ldap.conf file on client contains admin dn and pw.
Each user information in the directory contains the following entries(here, e.g. ldap_6)
dn: uid=ldap_6,ou=People,dc=abc,dc=com
uid: ldap_6
cn: ldap_6
sn: ldap_6
mail:
ldap_6@abc.comobjectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: hostObject
objectClass: simpleSecurityObject
shadowLastChange: 13998
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 514
gidNumber: 514
homeDirectory: /home/ldap_6
host: *
userPassword:: e2NyeXB0fSQxJGRUb1p6bVp5JGY2VFF5UWMxNndSbjdLcHpnMUlsdS8=
So, what should be the ACL rule so that each user can see his data only? I tried but not getting the required, even the user himself is unable to see his own data.