OpenLDAP server ACLs

The OpenLDAP server ACLs define the privileges that are required for the bind user.

The following example uses ACLs that are required for the bind user and other type of users for the sake of completeness. It is likely that a corporate directory server has those ACLs that are configured already and only the entries for the bind user need to be merged correctly in the slapd configuration file. This file is generally, in the /etc/openldap/slapd.conf file on Linux® systems. Follow the ACL ordering rules to ensure that correct ACLs are applied.

### some attributes need to be readable so that commands like 'id user', 
'getent' etc can answer correctly.
access to attrs=cn,objectClass,entry,homeDirectory,uid,uidNumber,
gidNumber,memberUid
by dn="uid=ibmbinduser,ou=people,dc=ldapserver,dc=com" read

###The following will not list userPassword when ldapsearch is 
performed with bind user.

### Anonymous is needed to allow bind to succeed and users to 
authenticate, should be 
a pre-existing entry already.
access to attrs=userPassword
    by dn="uid=ibmbinduser,ou=people,dc=ldapserver,dc=com"  auth
    by self write
    by anonymous auth  
    by * none

### Storage system needs to be able to find samba domain account 
specified on the mmuserauth service create command.

###It is strongly recommended that domain account is pre-created 
to ensure

###consistent access to multiple storage systems. 

###Uncomment ONLY if you want storage systems to create domain 
account when it does not exist. 
#access to dn.base="dc=ldapserver,dc=com"
#    by dn="uid=ibmbinduser,ou=people,dc=ldapserver,dc=com " write
#    by * none

access to dn.regex="sambadomainname=[^,]+,dc=ldapserver,dc=com"
    by dn=" uid=ibmbinduser,ou=people,dc=ldapserver,dc=com" read
    by * none

### all samba attributes need to be readable for samba access
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,
sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,
sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,
sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,
sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,
sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,
sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,
sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,
sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,
sambaOptionName,sambaBoolOption,sambaIntegerOption,
sambaStringOption,sambaStringListoption
    by dn="uid=ibmbinduser,ou=people,dc=ldapserver,dc=com" read
    by self read
    by * none

### Need write access to record bad failed login attempt
access to attrs=cn,sambaBadPasswordCount,sambaBadPasswordTime,
sambaAcctFlags by dn="uid=ibmbinduser,ou=people,dc=ldapserver,
dc=com" write

### Required to check samba schema
access to dn.base=* by  dn="uid=ibmbinduser,ou=people,
dc=ldapserver,dc=com" read