[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Assigning user access to parts of tree
Hi Marco,
Thanks for the quick and detailed reply. However if I understand you
rightly, these access permissions go into the slapd.conf. Is there
any way of mainatining these permissions within the LDAP database
itself? The reason is that I'm likely to have hundreds of these
controlled subtrees, and obviously updating slapd.conf each time a
subtree is added is not going to be either feasible or desirable
(since slapd will need to be restarted.
Regards,
-- Raju
>>>>> "Marco" == Marco Ferrante <ferrante@unige.it> writes:
>> How does one go about assigning varying access and password
>> control to different parts of the tree to various users?
>> I.e. userA can read and write
>> "dn:ou=virtualDomain,dc=abcd,dc=com" while userB can read/write
>> "dn:ou=virtualHost,dc=abcd,dc=com" but only read userA's DN.
Marco> You can do it in two ways: - you can create a instance of
Marco> objectClass groupOfNames in under
Marco> "ou=virtualDomain,dc=abcd,dc=com" called
Marco> "cn=RWusers,ou=virtualDomain,dc=abcd,dc=com" (or some other
Marco> name...) with a value of attribute member set to
Marco> userA,...; similary, in branch
Marco> "ou=virtualHost,dc=abcd,dc=com" you put a groupOfNames
Marco> "cn=RWusers,ou=virtualHost,dc=abcd,dc=com" with member:
Marco> userB,... and a groupOfNames
Marco> "cn=ROusers,ou=virtualHost,dc=abcd,dc=com" with member:
Marco> userA,... In ACL you put a line like
Marco> access to dn="(.*),ou=(.*),dc=abcd,dc=com" by self write by
Marco> group="cn=RWusers,$2,dc=abcd,dc=com" write by
Marco> group="cn=ROusers,$2,dc=abcd,dc=com" read
Marco> In this way, every DN specified as member of a groupOfNames
Marco> called RWusers under a subtree X can read/write under the
Marco> some subtree and every DN specified as member of a
Marco> groupOfNames called ROusers under a subtree X can read
Marco> under the subtree.
Marco> - in a less general way, if userA is ever under
Marco> subtree ou=virtualDomain,dc=abcd,dc=com (e.g every entry
Marco> can read/write in its subtree and only read in other
Marco> subtree) you can use a regular expression like
Marco> access to dn="(.*),ou=(.*),dc=abcd,dc=com" by self write by
Marco> dn=".*,$2,dc=abcd,dc=com" write by
Marco> dn=".*,.*,dc=abcd,dc=com" read
Marco> --------------------------------------------------------
Marco> Marco Ferrante (ferrante@unige.it) CSITA (Centro Servizi
Marco> Informatici e Telematici d'Ateneo) Università degli Studi
Marco> di Genova - Italy Viale Brigata Salerno - 16147 Genova tel
Marco> (+39) 0103532621 (interno tel. 2621)
Marco> --------------------------------------------------------