[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs
Until the SaslRegExp directive gets used, SASL identities have no relation to
user dn's. uid=steve may be able to write to userPassword under
"uid=steve,ou=People,dc=sprinter,dc=org", but ldappasswd while being
authenticated as this identity will result in a error. Using SASL/GSSAPI will
make this statement pointless, but there may be cases when an actual dn is
desired. Such as using the dnattr ACL directive.
Alexander Brinkman wrote:
> Thanks everyone, I have it working now...
>
> Perhaps there are more people struggling with this, so here are some
> pointers on how I have it working:
>
> My ACL's are now: (they are not perfect, but it works :))
>
> access to dn="^uid=([^,]+),ou=People,dc=sprinter,dc=org"
> attrs=userPassword
> by dn="uid=$1" write
> by dn="cn=Manager,dc=sprinter,dc=org" write
> by self write
> by anonymous auth
> by * none
>
> access to attr=userPassword
> by self write
> by dn="cn=Manager,dc=sprinter,dc=org" write
> by anonymous auth
> by * none
>
> access to *
> by self write
> by dn="cn=Manager,dc=sprinter,dc=org" write
> by * read
>
> Besides that I have the following options in slapd.conf:
> sasl-host eon.za.net
> sasl-realm "SPRINTER.ORG"
> sasl-secprops none
>
> I have setup Kerberos with a realm named SPRINTER.ORG.
>
> When I start kinit I authenticate with a user named eon.
> After this ldapsearch -Y gssapi will contact the openLDAP server which
> assigns uid=eon to my authenticated user. According to the ACLs in
> slapd.conf that user will get write access to his simple bind password
> (userPassword). The fact that there is another ACL for the userPassword
> attribute is that groups can also have passwords, and you don't want to have
> default read access on those... :)
>
> I problably have some errors in this story above, so if anyone finds them,
> please correct :) However, it is working for me right now...
>
> Grtz,
> Eon.
- Follow-Ups:
- RE: ACLs
- From: a.brinkman@avades.nl (Alexander Brinkman)
- References:
- RE: ACLs
- From: a.brinkman@avades.nl (Alexander Brinkman)