[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: ACL for PGP [Virus checked (@MLP)] [Virus checked]

To: "Alejandra Moreno" <alejandra.moreno@atrete.ch>, <Joachim.Koch@mlp-ag.com>
Subject: RE: ACL for PGP [Virus checked (@MLP)] [Virus checked]
From: "Emilio Hoxha" <emilio.hoxha@colubris.com>
Date: Tue, 8 Jan 2002 11:31:50 -0500
Cc: <openldap-software@OpenLDAP.org>
Content-class: urn:content-classes:message
Thread-index: AcGYXM4hjtYECXxmTJOkSvvxJRt7aQABSLGj
Thread-topic: ACL for PGP [Virus checked (@MLP)] [Virus checked]
Hi Guys

I'm newbie in LDAP so bare with me please.
I'm trying to configure a very simple LDAP serevr (at least for now).I
have this slapd.conf file

servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
#referral       ldap://www2.ldap.colubris.com
loglevel 256


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
referral        ldap://root.openldap.org

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

#
Sample Access Control
        Allow read access of root DSE
        Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#
access to * by * read
#access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default is:
#       Allow read by all
#
#rootdn can always write!

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
readonly        on
suffix          "dc=colubris,dc=com"
rootdn          "cn=ehoxha, o=colubris, dc=com"
rootpw          ehoxha
directory /usr/local/var/openldap-ldbm
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
#directory      /usr/local/var/openldap-ldbm
# Indices to maintain
index   uid pres, eq objectClass
lastmod on
#access to attr=userPassword
#       by selfwrite
#       by anynomous auth
#       by dn="cn=root, dc=colubris, dc=com" write
#       by * none
#access to *
#       by self write
#       by dn="cn=root, dc=colubris, dc=com" write
#       by users read
#access to dn="(.*,)?dc=colubris,dc=com"
#attr=homePhone
#                by self write
#        by
#dn="(.*,)?dc=colubris,dc=com"search
#        by domain=.*\.colubris\.com read
#        access to dn="(.*,)?dc=colubris,dc=com"
#        by self write
#       by dn=".*,dc=colubris,dc=com" search
#        by anonymous auth
# access to attr=member,entry
#                by dnattr=member selfwrite



The problem is that when i wanna add a .ldif file i get this error

 ldapadd -x -D "cn=root, dc=saranda, dc=com" -W -f myldif.ldif
ldap_bind: Referral
and nothing new shows up in the slapd file

Thanks for any help



-----Original Message-----
From:	Alejandra Moreno
Sent:	Tue 1/8/2002 10:51 AM
To:	Joachim.Koch@mlp-ag.com
Cc:	openldap-software@OpenLDAP.org
Subject:	Re: ACL for PGP  [Virus checked (@MLP)]  [Virus checked]
Ahhh!!! I didn't know that! I will try it.

Alejandra


At 16:21 08.01.2002 +0100, you wrote:
>Hi!
>
>You are right, I looks terribly, and I do not recommend to build acls
like 
>this,
>but OpenLDAP-ACLs are being processed from top to down, and the first
>acl that matches is been used. So I only give write permission to
everyone
>(including anonymous) to everything except
>
>      access to dn=".*,dc=ch" by * read
>
>Here is only read permission given.
>
>Please correct me, if i should be wrong.
>
>
>Joachim
>
>
>
>
>
>
>Alejandra Moreno <alejandra.moreno@atrete.ch> am 08.01.2002 09:53:15
>
>
>An:   Joachim Koch/Login/DE/MLP@MLP
>Kopie:    openldap-software@OpenLDAP.org
>
>Thema:    Re: ACL for PGP - WAS:Re: Storing Special German Characters
in
>       OpenLDAP as PGP -Directory  [Virus checked (@MLP)]  [Virus
checked]
>
>
>
>Hi!
>
>But with the last line aren't you giving permission to everybody to
write
>on the whole tree???? I wouldn't like that!
>You are right, NAI's integration seems really poor!
>
>Alejandra
>
>At 17:32 04.01.2002 +0100, you wrote:
> >Hi!
> >
> >This works:
> >      access to    dn=".*,o=PGP Keys,dc=atrete,dc=ch" by * write
> >      access to dn=".*,dc=atrete,dc=ch" by * write
> >      access to dn=".*,dc=ch" by * read
> >      access to * by * write
> >
> >The first lines gives write permission to everything _below_  "o=PGP
> >Keys,dc=atrete,dc=ch",
> >but why tries PGP to write on level "*,dc=atrete,dc=ch" ?
> >
> >The ldap integration for PGP by NAI seems to be poorly programmed.
:-(
> >
> >Joachim
> >
> >
> >
> >
> >
> >Alejandra Moreno <alejandra.moreno@atrete.ch> am 04.01.2002 17:13:02
> >
> >
> >An:   Joachim Koch/Login/DE/MLP@MLP, openldap-software@OpenLDAP.org
> >Kopie:
> >
> >Thema:    Re: ACL for PGP - WAS:Re: Storing Special German Characters
in
> >       OpenLDAP as PGP -Directory  [Virus checked (@MLP)]  [Virus
checked]
> >
> >
> >
> >Hi!
> >
> >If you try :
> >
> >access to dn=".*,o=PGP Keys,dc=atrete,dc=ch" by * write
> >access to dn=".*,dc=ch" by * read
> >access to * by * read
> >
> >to send a key you get the error: no write access to parent
> >But don't I give write access to parent with the first line? This is 
> crazy!!!
> >
> >Alejandra
> >
> >
> >At 16:56 04.01.2002 +0100, you wrote:
> > >Hi!
> > >
> > >try this, if you only want to search for keys:
> > >access to dn=".*,o=PGP Keys,dc=atrete,dc=ch" by * write
> > >access to dn=".*,dc=ch" by * read
> > >---> access to * by * read  <----
> > >
> > >
> > >The third line has to be
> > >      access to * by * write !!!
> > >if you want to send keys to the server.
> > >
> > >I'm wondering why the third line is neccesary. What does the
##$#-Client
> > >try and
> > >where?
> > >
> > >Greets,
> > >Joachim
> > >
> > >
> > >
> > >
> > >
> > >Alejandra Moreno <alejandra.moreno@atrete.ch> am 04.01.2002
16:12:39
> > >
> > >
> > >An:   openldap-software@OpenLDAP.org
> > >Kopie:     (Blindkopie: Joachim Koch/Login/DE/MLP)
> > >
> > >Thema:    Re: Storing Special German Characters in OpenLDAP as
> > >PGP   -Directory
> > >       [Virus checked (@MLP)]  [Virus checked]
> > >
> > >
> > >
> > >Hi!
> > >
> > >I also tried that, and still didn't work. It's driving me nuts!!!!
> > >
> > >At 15:35 04.01.2002 +0100, you wrote:
> > > >quote Alejandra Moreno (4.1.2002):
> > > >
> > > > > If you get some feed back from NAI, just tell me!
> > > > > You were write about the access permission, the following
syntax wont
> > > work:
> > > > >
> > > > > access to dn=".*,dc=ch" by * read
> > > > > access to dn=".*,o=PGP Keys,dc=atrete,dc=ch" by * write
> > > >
> > > >switch the ACLs to:
> > > >access to dn=".*,o=PGP Keys,dc=atrete,dc=ch" by * write
> > > >access to dn=".*,dc=ch" by * read
> > > >
> > > >the first matching ACL makes the job.
> > > >
> > > >
> > > >    Sebastian Dietzold
> > > >
> > > >--
> > > >Sebastian Dietzold
> > > >Content Management / Directory Services
> > > >Institute for Medical Informatics,
> > > >Statistics and Epidemiology (IMISE)
> > > >University of Leipzig
> > > >Liebigstr. 27
> > > >04103 Leipzig
> > > >Phone: +49 341 97 161 14
> > > >Fax:   +49 341 97 161 30
> > >
> >
>______________________________________________________________________
> > >Alejandra Moreno Espinar
> > >at rete ag
> > >
> > >mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
> > >snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich,
Switzerland
> > >voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55
88
> >
>_____________________________________________________________________
> > >
> > >
> >
>______________________________________________________________________
> > >Alejandra Moreno Espinar
> > >at rete ag
> > >
> > >mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
> > >snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich,
Switzerland
> > >voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55
88
> >
>_____________________________________________________________________
> >
>
>______________________________________________________________________
> >Alejandra Moreno Espinar
> >at rete ag
> >
> >mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
> >snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich, Switzerland
> >voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88
> >_____________________________________________________________________
>
>______________________________________________________________________
>Alejandra Moreno Espinar
>at rete ag
>
>mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
>snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich, Switzerland
>voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88
>_____________________________________________________________________
>
>

______________________________________________________________________
Alejandra Moreno Espinar
at rete ag

mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich, Switzerland
voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88
_____________________________________________________________________
<<winmail.dat>>
Prev by Date: error message
Next by Date: Re: error message
Index(es):
- Chronological
- Thread