Prevent searching mail=* in OpenLDAP

41 Views Asked by VangDev At 26 February 2024 at 06:18

As an OpenLDAP admin, how can I prevent anonymous (non-authenticated) users from searching for e.g. mail=* with a single Asterisk?

ldapsearch ... "mail=*"

must be disabled, but

ldapsearch ... "mail=*test*"

must remain allowed.

I tried to add this rule but it did not help.

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to filter="(mail=*)"
  by dn.base="cn=admin,dc=example,dc=com" read
  by * none
olcAccess: {1}to * 
  by dn.base="cn=admin,dc=example,dc=com" write
  by * read

Original Q&A

There are 1 best solutions below

user1686 On 26 February 2024 at 15:06

You can't do that with OpenLDAP, but it's also not very useful to do, as it only takes a single (mail=*@*) to get around that restriction. (or if you forbid that, then (mail=*@*.*), or some 26 or so (mail=*a*), etc.)

Instead, set a size limit through olcLimits so that any anonymous query would only return e.g. 5 results at most – still possible to work around but much more annoying:

olcLimits: anonymous size.soft=5 size.hard=5

Prevent searching mail=* in OpenLDAP

There are 1 best solutions below

Related Questions in LDAP

Related Questions in ACL

Related Questions in OPENLDAP

Related Questions in SLAPD

Trending Questions

Popular # Hahtags

Popular Questions