[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Assigning user access to parts of tree



Hi Marco,

Thanks for the quick and detailed reply.  However if I understand you
rightly, these access permissions go into the slapd.conf.  Is there
any way of mainatining these permissions within the LDAP database
itself?  The reason is that I'm likely to have hundreds of these
controlled subtrees, and obviously updating slapd.conf each time a
subtree is added is not going to be either feasible or desirable
(since slapd will need to be restarted.

Regards,

-- Raju

>>>>> "Marco" == Marco Ferrante <ferrante@unige.it> writes:

    >> How does one go about assigning varying access and password
    >> control to different parts of the tree to various users?
    >> I.e. userA can read and write
    >> "dn:ou=virtualDomain,dc=abcd,dc=com" while userB can read/write
    >> "dn:ou=virtualHost,dc=abcd,dc=com" but only read userA's DN.

    Marco> You can do it in two ways: - you can create a instance of
    Marco> objectClass groupOfNames in under
    Marco> "ou=virtualDomain,dc=abcd,dc=com" called
    Marco> "cn=RWusers,ou=virtualDomain,dc=abcd,dc=com" (or some other
    Marco> name...)  with a value of attribute member set to
    Marco> userA,...; similary, in branch
    Marco> "ou=virtualHost,dc=abcd,dc=com" you put a groupOfNames
    Marco> "cn=RWusers,ou=virtualHost,dc=abcd,dc=com" with member:
    Marco> userB,... and a groupOfNames
    Marco> "cn=ROusers,ou=virtualHost,dc=abcd,dc=com" with member:
    Marco> userA,...  In ACL you put a line like

    Marco> access to dn="(.*),ou=(.*),dc=abcd,dc=com" by self write by
    Marco> group="cn=RWusers,$2,dc=abcd,dc=com" write by
    Marco> group="cn=ROusers,$2,dc=abcd,dc=com" read

    Marco> In this way, every DN specified as member of a groupOfNames
    Marco> called RWusers under a subtree X can read/write under the
    Marco> some subtree and every DN specified as member of a
    Marco> groupOfNames called ROusers under a subtree X can read
    Marco> under the subtree.

    Marco> 	- in a less general way, if userA is ever under
    Marco> subtree ou=virtualDomain,dc=abcd,dc=com (e.g every entry
    Marco> can read/write in its subtree and only read in other
    Marco> subtree) you can use a regular expression like

    Marco> access to dn="(.*),ou=(.*),dc=abcd,dc=com" by self write by
    Marco> dn=".*,$2,dc=abcd,dc=com" write by
    Marco> dn=".*,.*,dc=abcd,dc=com" read


    Marco> --------------------------------------------------------
    Marco> Marco Ferrante (ferrante@unige.it) CSITA (Centro Servizi
    Marco> Informatici e Telematici d'Ateneo) Università degli Studi
    Marco> di Genova - Italy Viale Brigata Salerno - 16147 Genova tel
    Marco> (+39) 0103532621 (interno tel. 2621)
    Marco> --------------------------------------------------------