[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: having more privileged users
Prune wrote:
> Hi,
>
> Sorry to repost but I had no answer....
> Maybe I wasn't understood....
>
> Here is what I want :
>
> I want to be able to bind as a user (who's not manager) who will be able
> to do a search and find the DN of every entry in my LDAP.
> How is this possible ?
> How should I do ?
> Is this a good solution ?
The rootdn is a privileged user in the sense that it undergoes
privileged treatment when binding and performing all operations
that normally require checking permissions (think of acls in
read/write, size/time limits and so). Unprivileged users may gain
special privileges only by means of accurate configuration. If you
need unlimited read access, you need to explicitly add your user
to any acl you write; for the time/size limit at present there's no
solution but raising the default limits, but this works for everybody
(in HEAD I just committed a couple of patches that overcome
this limitation).
If your ACLS are:
access to attrs=userPassword
by self write
by * auth
access to dn=".*,ou=My Tree,dc=my,dc=org"
by users read
by * none
access to dn=".*,ou=Another Tree,dc=my,dc=org"
by dn="[^,]+,ou=Apps,dc=my,dc=org"
by * none
access to *
by * read
you need to do do:
access to attrs=userPassword
by self write
by * auth
access to dn=".*,ou=My Tree,dc=my,dc=org"
by dn="cn=YOUR USER,ou=People,dc=my,dc=org" read
by users read
by * none
access to dn=".*,ou=Another Tree,dc=my,dc=org"
by dn="cn=YOUR USER,ou=People,dc=my,dc=org" read
by dn="[^,]+,ou=Apps,dc=my,dc=org"
by * none
access to *
by dn="cn=YOUR USER,ou=People,dc=my,dc=org" read
by * search
the same applies if you need different access rights, say "write".
You also need to set
sizelimit (>MAX ENTRIES)
timelimit (>TIME REQUIRED TO SEARCH THE WHOLE DIT)
If you go to HEAD, you may also have a look at
http://www.openldap.org/lists/openldap-devel/200107/msg00116.html
and threads that follow.
Pierangelo.
--
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati