TechQA.

Prevent searching mail=* in OpenLDAP

41 views Asked by At

As an OpenLDAP admin, how can I prevent anonymous (non-authenticated) users from searching for e.g. mail=* with a single Asterisk?

ldapsearch ... "mail=*"

must be disabled, but

ldapsearch ... "mail=*test*"

must remain allowed.

I tried to add this rule but it did not help.

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to filter="(mail=*)"
  by dn.base="cn=admin,dc=example,dc=com" read
  by * none
olcAccess: {1}to * 
  by dn.base="cn=admin,dc=example,dc=com" write
  by * read
ldap acl openldap slapd
Original Q&A
1

There are 1 answers

0
user1686 On

You can't do that with OpenLDAP, but it's also not very useful to do, as it only takes a single (mail=*@*) to get around that restriction. (or if you forbid that, then (mail=*@*.*), or some 26 or so (mail=*a*), etc.)

Instead, set a size limit through olcLimits so that any anonymous query would only return e.g. 5 results at most – still possible to work around but much more annoying:

olcLimits: anonymous size.soft=5 size.hard=5

Related Questions in LDAP

Related Questions in ACL

Related Questions in OPENLDAP

Related Questions in SLAPD

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions