[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL help
Greetings,
I would appreciate it if someone would try to help me understand the idea
of ACL in my slapd.conf file.
A Simple eg: I have 3 entries in my ldif file (user1, user2, user3). Here
they are:
----------------------------------------------------------------------------
----------------------
dn: o=Company, c=CA
objectclass: Organization
dn: location=Dorval, o=Company, c=CA
objectclass: Location
dn: username=user1, location=Dorval, o=Company, c=CA
objectclass: Person
username: user1
cn: User1_First_Name Lastname
mail: user1@Company.com
location: Dorval
givenname: user1_GiveName
sn: Lastname
telephoneNumber: ext: 7701
status: Active User
dn: username=user2, location=Dorval, o=Company, c=CA
objectclass: Person
username: user2
cn: User2_First_Name Lastname
mail: user2@Company.com
location: Dorval
givenname: user2_GiveName
sn: Lastname
telephoneNumber: ext: 7702
status: Active User
userpassword= Some_Password
dn: username=user3, location=Dorval, o=Company, c=CA
objectclass: Person
username: user3
cn: User3_First_Name Lastname
mail: user3@Company.com
location: Dorval
givenname: user3_GiveName
sn: Lastname
telephoneNumber: ext: 7703
status: Active User
----------------------------------------------------------------------------
----------------------
All I want to do, is to allow user2 (WHO is the only one that has
"userpassword" attribute), read access to the whole database (except
viewing any other "userpassword" data - if any).
Therefore, when user2 logs in with his username and passwd , a search on
the whole database would yield all 3 entries, except for the password.
I'm trying to configure our Eudora 4.1 email clients to "login" the LDAP
server (as user2), before giving any pertinent results.
----------------------------------------------------------------------------
----------------------
ISSUES:
Can I define a username attribute to lookup the login name?, or do I use
the cn field?
Do all entries have to have a "userpassword" attribute?
Can I use the enypt passwd (standard UNIX DES) in the "userpassword" field?
Must I follow schemas to allow ACL to work?
Or am I really out in left field ?
----------------------------------------------------------------------------
----------------------
I UNDERSTAND that I have to have:
access to attr=userpassword
by self write
by * compare
To hide the passwords
----------------------------------------------------------------------------
----------------------
Any help would be appreciated... Thanks
Joe
email:jnoviell@matrox.com