[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control help

Subject: Re: access control help
From: Peter Lüders <pe7@gmx.de>
Date: Sun, 17 Jun 2001 20:17:25 +0200
Cc: openldap-software <openldap-software@OpenLDAP.org>
References: <2397273.3201712018@alyon-101-1-2-25.abo.wanadoo.fr>

hello,

thanks for your reply.but it dont works as it should: if i login e.g. with 'cn=user1,dc=orderrace,dc=com' i see no data, neither the own nor other subtrees. searches
return alsways 0 entries.i have openldap server version 2.0.7 installed. may this be the problem ?

for the first it would also help me if i had an explicit  access-rule for every user in sldap.conf. how should the access rule e.g. for 'cn=user1,dc=orderrace,dc=com'
look like, so that this users has read/write access only to its subtree ?

best regards,
p.lüders

David Olivier wrote:

> --Le samedi 16 juin 2001 20:07 +0200 pe7@gmx.de disait:
>
> > hello
> >
> > i want to get following: the ldap data is structured in this way:
> >
> > root
> >   cn=user1
> >     adress0
> >     adress1
> >     adress2
> >     ...
> >   cn=user2
> >     adress0
> >     adress1
> >     adress2
> >     ...
> >   cn=user3
> > ...
> >
> > my current configuration is:
> >
> > access to attr=userPassword
> >   by self write
> >   by anonymous auth
> >   by dn="cn=Admin,dc=orderrace,dc=com" write
> >   by * none
> > access to *
> >   by users write
> >
> > but the problem is, that each user is able to read and write also other
> > subtrees. is it possible to set up sldap.conf in the way that each user
> > can read and write only within its own subtree ? it were good if i hadnt
> > to write a access rule for every users because than i had to restart the
> > ldap after each user-change. could someone plases give me an example how
> > i could set the access right ? i have made a lot of trials but didnt
> > succeed and also couldnt find help within the list archive.
>
> I haven't tried it, but inspired by <http://www.openldap.org/faq/data/cache/451.html> and <http://www.openldap.org/faq/data/cache/452.html> I suggest something like:
>
> access to attr=userPassword
>   by self write
>   by anonymous auth
>   by dn="cn=Admin,dc=orderrace,dc=com" write
>   by * none
> access to dn.regex=".*,cn=(.*),dc=orderrace,dc=com"
>   by dn.regex=".*,cn=$1,dc=orderrace,dc=com" write
>   by * none
>
> This should give anyone in a subtree write access to all entries in that subtree (except to the userPassword attribute of those entries, to which it
> has no access at all (except to its own, to which it has write access)).
>
> I'd be interested to know if it works!
>
> ----
> David Olivier
> David.Olivier@univ-lyon2.fr
> Les Cahiers antispécistes: http://www.cahiers-antispecistes.org/
>
>   Les canards et les pigeons,
>   les porcs et les agneaux
>   mettent leurs gouttes de sang
>   sous les multiplications;
>   et les terribles hurlement des vaches étripées
>   emplissent de douleur la vallée
>   où l'Hudson s'enivre d'huile.
>
> Federico Garcia Lorca
> ----
> Visite un abattoir !
> http://vegetariensplessis.online.fr/temoignage.html

--
(((http://jzone.de)))

Follow-Ups:
- Re: access control help
  - From: "Tiefnig Daniel" <daniel.tiefnig@infonova.at>

References:
- Re: access control help
  - From: David Olivier <David.Olivier@univ-lyon2.fr>

Prev by Date: Extensions for Dynamic Directory Services (RFC-2589)
Next by Date: Re: absolutely frustrated
Index(es):
- Chronological
- Thread