[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: help needed in setting acl
At 05:52 PM 7/20/99 -0500, ramana.ramachandran@wcom.com wrote:
>hi
>I need some help in setting my ACL.
>My dir hierarchy is
>
>one organization
>multiple organizationalUnit(s) underneath the organization
>multile account(s) underneath each organizationalUnit.
>multiple person(s) underneath each account.
>
>account has uid & userPassword. Each person has a owner which is a dn to
>the account that created it.
>
>(1) One can bind ONLY to the account
In OpenLDAP 1.x, you technically cannot restrict binds.
If an entry has a userPassword (or krbName), it can be a bind
target. No ACLs are applied. The "compare" access you often
see is to allow external authentication applications.
The next release of OpenLDAP (ie: 2.0) will support an new
access level ("auth") to control authentication.
However, you can restrict which entries a client can add
userPasswords to...
access attr=userPassword
by self write
by * none
>(2) Each account can create, modify, delete person object underneath
>itself. Each account can read person info of other accounts.
Sounds like a job for regex... something like this might do:
# subtree write (if DN fits within naming)
# other dn's, read
# default none
access to
dn="^.+,([:alnum:]+=[:alnum:]+,[:alnum:]+=[:alnum:]+,o=IISc,C=IN)$"
by dn="$1" write
by dn=".*,o=IISc,C=IN" read
by * none
# self write
# others dn's, read
# default none
access to
dn="^[:alnum:]+=[:alnum:]+,[:alnum:]+=[:alnum:]+,o=IISc,C=IN$"
by self write
by dn=".*,o=IISc,C=IN" read
by * none
# general read, default none
access to
dn="^(.*,)?o=IISc,C=IN$"
by dn=".*,o=IISc,C=IN" read
by * none
Note: the :alnum: may be too restrictive and could be replaced with
something that matches more (but not too much more).
>Somewhere I read about giving access to parent (maybe ldapv3?).
Access control mechanisms are server specific.
>I need
>something like that or better still ability to grant add entry and
>write access to each account. Any idea how I could do that? While the
>below acl doesn't work, I though you could comment on it too.
See above. You might also check out ACL groups...
http://www.openldap.org/faq/index.cgi?file=52
Kurt