LDAP Security

[Ryan Golhar]

Does anyone have any experience with LDAP?  I have an LDAP server setup
to authenticate users.  I want to allow certain users the ability to add
other users and change passwords.  I don't want them to be able to
delete users.  Right now, my slapd.conf file contains the following
ACLs:

#
# ACLs
#
access to dn=".*,ou=People,o=v12,o=UMDNJ,c=US"
		attr=userPassword
	by self write
	by dn="uid=root,ou=People,o=v12,o=UMDNJ,c=US" write
	by * auth

# allows admins to add users to "users" group
access to dn="cn=users,ou=Group,o=v12,o=UMDNJ,c=US"
		attr=memberUid
	by self write
        by dn="uid=root,ou=People,o=v12,o=UMDNJ,c=US" write
	by dn="uid=golharam,ou=People,o=v12,o=UMDNJ,c=US" write
	by dn="uid=kerrigje,ou=People,o=v12,o=UMDNJ,c=US" write
	by dn="uid=kholodvl,ou=People,o=v12,o=UMDNJ,c=US" write
	by dn="uid=byrne,ou=People,o=v12,o=UMDNJ,c=US" write
	by * read

# allows admins to add users
access to dn="ou=People,o=v12,o=UMDNJ,c=US"
	by self write
        by dn="uid=root,ou=People,o=v12,o=UMDNJ,c=US" write
        by dn="uid=golharam,ou=People,o=v12,o=UMDNJ,c=US" write
	by dn="uid=kerrigje,ou=People,o=v12,o=UMDNJ,c=US" write
        by dn="uid=kholodvl,ou=People,o=v12,o=UMDNJ,c=US" write
        by dn="uid=byrne,ou=People,o=v12,o=UMDNJ,c=US" write
        by * read

access to dn=".*,o=v12,o=UMDNJ,c=US"
	by self write
	by dn="uid=root,ou=People,o=UMDNJ,c=US" write
	by * read

access to dn=".*,o=UMDNJ,c=US"
	by * read

defaultaccess read

-----
Ryan Golhar
Computational Biologist
The Informatics Institute at
The University of Medicine & Dentistry of NJ

Phone: 973-972-5034
Fax: 973-972-7412
Email: golharam at umdnj.edu