[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Adding users and access control.

To: Ajit Nair <ajit_nair@adc.com>
Subject: Re: Adding users and access control.
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Tue, 20 Nov 2001 09:39:17 +0100
Cc: openldap-software@OpenLDAP.org
Organization: Dipartimento di Ingegneria Aerospaziale
References: <20011115165756.A6720@horde.net> <m23d3a1z83.fsf@j-sanchez-p.stl.es> <033501c17135$6de67630$d5c14792@basystems.com>

Ajit Nair wrote:
> 
> Hello,
> 
> I've been trying to configure OpenLdap v2.0.7  with a new user (other than
> the root). However, it looks like I'm missing someting. I've added the
> following object to the database:
> 
> dn: cn=Update Manager, o=blah.com
> objectClass: top
> objectClass: person
> objectClass: organisationalPerson
> objectClass: inetOrgPerson
> cn: Update Manager
> sn: Manager
> userPassword:: dXBkYXRlX21hbmFnZXI=
> 
> where o=blah.com is the base dn.
> 
> I've also modified the access control in slapd.conf file to contain
> access to *
>         by dn="cn=Update Manager, o=blah.com" write
>         by self write
>         by anonymous none
>         by dn="cn=Directory Manager,.*" write
> 
> so that "cn=Update Manager, o=blah.com" can have complete write access
> (which also mean read access). But my attempts to verify this with
> ldapsearch and ldapadd utilities return "ldap_bind: Insufficient access" as
> a result. The same operations using the rootdn work fine.

If the above reported is your only access statement, then you 're unable
to bind because anonymous needs at least "auth" access. A very coarse
ACL for this purpose would be

access to *
        by dn="cn=Update Manager, o=blah.com" write
        by self write
        by anonymous auth

I'm assuming "cn=Directory Manager,.*" is your rootdn; in this
case you don't need to give it any specific access because ACLs
are not even checked :)

A finer (still gross, but a good starting point) would be:

access to attrs=userPassword
        by dn="cn=Update Manager, o=blah.com" write
        by self write
        by * auth

access to *
        by dn="cn=Update Manager, o=blah.com" write
        by users read
        by anonymous none

Then you can make the last one more fine-grained by selectively 
activating read/write on subtrees, attributes and so.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati

References:
- indexing createTimestamp
  - From: John Morrissey <jwm@horde.net>
- Re: indexing createTimestamp
  - From: Julio Sanchez Fernandez <j_sanchez@stl.es>
- Adding users and access control.
  - From: "Ajit Nair" <ajit_nair@adc.com>

Prev by Date: Re: jpegphoto
Next by Date: Re: Adding users and access control.
Index(es):
- Chronological
- Thread