linux - User privileges LDAP scheme

06
2014-04
  • payomeke

    I needed to create a user (it's already created) in my LDAP schema and want to give privileges of reading/writing to that user like if they were the admin but just for a specific subtree.

    The thing is I added an ACL in slapd.conf like this:

    access to dn.subtree="dc=domain,dc=com,o=isp" by dn="cn=user,dc=domain,dc=com,o=isp" manage by * none

    When I login into phpldapadmin with that user, I can't see anything from the subtree, but get message:

    o=isp This base entry does not exist. Create it?

    That entry actually exist so something's not working.

    If change the ACL attribute inside slapd.conf to this:

    access to * by dn="cn=user,dc=domain,dc=com,o=isp" manage by * none

    Then, when I login, I can see all the scheme and subtrees but only want to give privileges for a specific dn, not the whole scheme.

    • Answers
  • payomeke

    I have found the problem.

    I changed the next line inside /etc/phpladadmin/config.php:

    $servers->setValue('server','base',array('dc=domain,dc=com,o=isp'));

    So now when I login inside phpladadmn I can see the correct subtree schema with the user who has the correct privileges.


    • Related Question

    linux - Ubuntu: limiting user account only to access his home dir
  • migajek

    I just created new user account, but the new user is able to access all the directories structure (including other's home directories). I'd like to limit the user to access ONLY his home directory (and nothing "above"). How do I do this?


    • Related Answers
  • grawity

    Set the modes on all home directories to 0700.

    Optionally, set the default umask to 077. In Ubuntu, edit the "umask 022" line in /etc/profile. Optionally, update PAM configuration in /etc/pam.d/common-session (pam_umask.so umask=077 usergroups).

    Optionally, chmod /etc/skel and update /etc/adduser.conf (line "DIR_MODE=0755") to 0700.

    You cannot restrict a user to "home directory and nothing \"above\"" without a lot of headache, and it does not make sense either (for me, at least):

    • To execute any program, the user must have 'read' access to it.
    • To use shared libraries, a program must have 'read' access to them.
    • To read the system-wide configuration files and resources, 'read' access is needed too.

    It is write access you should be afraid of, and the default permissions already prevent writing anywhere except a few locations.

  • Kashif

    This thread is little bit old but anyways you can restrict the users (very restrictive) to home directory by changing the bash shell to rbash if you really want it. By this way the user can't be able to use cd command. Or change the home directory owner as mentioned above. But remember that the user can execute bash so perform restrictive settings...