Access to the LDAP directory should be restricted to comply with your organization’s security guidelines and policies.
IMPORTANT:Consult your company security policy to learn about security requirements for the LDAP server, especially local administrator rights and the security ratings for the administration infrastructure.
To restrict access to the directory, access control lists (ACLs) can be implemented in the LDAP server configuration file on the Administration Server. The configuration file is /etc/openldap/slapd.conf. For more information, see Section A.3.4, posInitLdap.sh or man pages slapd.conf(5)and slapd.access(5) for details.
To restrict access to a specific location, use the following ACLs:
NOTE:The examples use the standard schema of cn=location,ou=orgUnit,o=mycorp,c=de.
access to dn.base="" by * read access to * attrs=userPassword by anonymous auth by self write
access to dn.regex="^.*(cn=.*,ou=.*,o=mycorp,c=us)$" by dn.regex="^.*,$1$" write by anonymous auth by users read access to * by anonymous auth by users read by self write
For each location, create a location user. For example,
posAdmin.pl --user cn=admin,o=mycorp,c=us --password secret --base cn=east,ou=boston,o=mycorp,c=us --add --scPOSUser --cn EastBostonUser --userPassword "secretPassword"
Now the --user option can be set to the following in all posAdmin commands concerning the cn=east,ou=boston, o=mycorp, c=us location:
--user cn=EastBostonUser,cn=east,ou=boston,o=mycorp,c=us
The default LDAP user can now be replaced by this user, especially for the posInitBranchserver command.
... Please enter the DN of the LDAP user for administration tasks [default: cn=admin,o=mycorp,c=us]
cn=EastBostonUser,cn=east,ou=boston,o=mycorp,c=us