Access control should be LDAPI aware, and have the ability to accept or reject operations that come through an LDAPI connection.
Situations where one might want to protect sensitive data, and only allow connections that come from the server machine over LDAPI.
LDAPI support was added by extending the “authmethod” keyword. “authmethod” is used to control access by the connection protocol(Simple, SSL, SASL, etc). Now you can specify “ldapi” as an authentication method.
(targetattr = "*") (version 3.0;acl "LDAPI ACI";allow (all)
(userdn = "ldap:///anyone" and authmethod = "ldapi" );)
Since LDAPI connections do not have an IP address/hostname, be very careful when adding “ip” and “dns” rules. If you choose to “and” an “ip” rule with authmethod(LDAPI), the ACI will always reject access, so use an “or” in this case.
(targetattr = "*") (version 3.0;acl "LDAPI ACI";allow (all)
(userdn = "ldap:///anyone" and authmethod = "ldapi" or ip = "127.0.0.1" );)
No additional requirements.
UI
Right click on the suffix/branch you want to add the ACI to -> “Set access permissions”, then you have to “Edit visually” to set the authmethod.
CLI
Use ldapmodify to add the aci.
No configuration options.
No impact.
No impact.
No dependencies.
No impact.
Mark Reynolds mreynolds@redhat.com