Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 485 — #511
i
i
i
i
i
i
i
i
21
Linux in the Network
This rule declares that only its respective administrator has write access to
an individual ou entry. All other authenticated users have read access and
the rest of the world has no access.
Note
Establishing Access Rules
If there is no access to rule or no matching by directive, access
is denied. Only explicitly declared access rights are granted. If no
rules are declared at all, the default principle is write access for
the administrator and read access for the rest of the world.
Note
Find detailed information and an example configuration for LDAP access
rights in the online documentation of the installed openldap2 package.
Apart from the possibility to administer access permissions with the cen-
tral server configuration file (slapd.conf), there is ACI, access control
information. ACI allows storage of the access information for individ-
ual objects within the LDAP tree. This type of access control is not yet
common and is still considered experimental by the developers. Refer to
http://www.openldap.org/faq/data/cache/758.html for infor-
mation.
Database-Specific Directives in slapd.conf
Example 21.22: slapd.conf: Database-Specific Directives
database ldbm
suffix "dc=suse,dc=de"
rootdn "cn=admin,dc=suse,dc=de"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
The type of database, LDBM in this case, is determined in the first line of
this section (see Example 21.22). The second line determines, with suffix,
for which portion of the LDAP tree this server should be responsible.
485
SUSE LINUX Enterprise Server