[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: help needed in setting acl



At 05:52 PM 7/20/99 -0500, ramana.ramachandran@wcom.com wrote:
>hi
>I need some help in setting my ACL.
>My dir hierarchy is
>
>one organization
>multiple organizationalUnit(s) underneath the organization
>multile account(s) underneath each organizationalUnit.
>multiple person(s) underneath each account.
> 
>account has uid & userPassword. Each person has a owner which is a dn to
>the account that created it.
>
>(1) One can bind ONLY to the account

In OpenLDAP 1.x, you technically cannot restrict binds.
If an entry has a userPassword (or krbName), it can be a bind
target.  No ACLs are applied.  The "compare" access you often
see is to allow external authentication applications.

The next release of OpenLDAP (ie: 2.0) will support an new
access level ("auth") to control authentication.

However, you can restrict which entries a client can add
userPasswords to...
  access attr=userPassword
	by self write
	by * none

>(2) Each account can create, modify, delete person  object underneath
>itself. Each account can read person info of other accounts.

Sounds like a job for regex...  something like this might do:

# subtree write (if DN fits within naming)
# other dn's, read
# default none
access to
  dn="^.+,([:alnum:]+=[:alnum:]+,[:alnum:]+=[:alnum:]+,o=IISc,C=IN)$"
	by dn="$1" write
	by dn=".*,o=IISc,C=IN" read
	by * none

# self write
# others dn's, read
# default none
access to
  dn="^[:alnum:]+=[:alnum:]+,[:alnum:]+=[:alnum:]+,o=IISc,C=IN$"
	by self write
	by dn=".*,o=IISc,C=IN" read
	by * none

# general read, default none
access to
  dn="^(.*,)?o=IISc,C=IN$"
	by dn=".*,o=IISc,C=IN" read
	by * none

Note: the :alnum: may be too restrictive and could be replaced with
something that matches more (but not too much more).

>Somewhere I read about giving access to parent (maybe ldapv3?).

Access control mechanisms are server specific.

>I need
>something like that or better still ability to grant add entry and 
>write access to each account. Any idea how I could do that? While the
>below acl doesn't work, I though you could comment on it too.

See above.  You might also check out ACL groups...
  http://www.openldap.org/faq/index.cgi?file=52

Kurt