|Michael Oberg - Freiberuflicher EDV-Berater und Software-Entwickler
The configuration file /etc/openldap/slapd.conf contains among other things the following settings:
The assignment of access rights on the LDAP directory was already described under LDAP in the section "Dedicated Access to LDAP".
Explicit setting up access rights is thereby quite simple ("... by dn=... write"). The problem is, that with enabling write access security gaps may be opened. This could lead to an insecure server, open to breakins.
For example in order to reserve the creation of UNIX users or groups only to the LDAP administrator, the creation of such objects in the directory"contacts" must be forbidden - the only way is to make the reading of attributes typical for these objects (passwords, ID numbers) impossible.
Also certain system-critical attributes may not be changed within user and group objects (ID numbers, passwords, group and user name).