Access to the LDAP directory should be restricted to comply with your organization’s security guidelines and policies.
IMPORTANT:Consult your company security policy to learn about security requirements for the LDAP server, especially local administrator rights and the security ratings for the administration infrastructure.
To restrict access to the directory, access control lists (ACLs) can be implemented in the LDAP server configuration file on the Administration Server. The configuration file is /etc/openldap/slapd.conf. For more information, see Section A.3.4, posInitLdap.sh or man pages slapd.conf(5)and slapd.access(5) for details.
To restrict access to a specific location, use the following ACLs:
NOTE:The examples use the standard schema of cn=location,ou=orgUnit,o=mycorp,c=de.
access to dn.base="" by * read
access to * attrs=userPassword
by anonymous auth
by self write
access to dn.regex="^.*(cn=.*,ou=.*,o=mycorp,c=us)$"
by dn.regex="^.*,$1$" write
by anonymous auth
by users read
access to *
by anonymous auth
by users read
by self write
For each location, create a location user. For example,
posAdmin.pl --user cn=admin,o=mycorp,c=us --password secret --base cn=east,ou=boston,o=mycorp,c=us --add --scPOSUser --cn EastBostonUser --userPassword "secretPassword"
Now the --user option can be set to the following in all posAdmin commands concerning the cn=east,ou=boston, o=mycorp, c=us location:
--user cn=EastBostonUser,cn=east,ou=boston,o=mycorp,c=us
The default LDAP user can now be replaced by this user, especially for the posInitBranchserver command.
... Please enter the DN of the LDAP user for administration tasks [default: cn=admin,o=mycorp,c=us]
cn=EastBostonUser,cn=east,ou=boston,o=mycorp,c=us