Re: aci

[Ralf Haferkamp <rhafer@suse.de>]

On Sun, Feb 25, 2001 at 04:24:34PM +0530, Raghu Babu wrote:
> Hi all,
> 
>        i have configured my openldap server using following document for
>        aci.  but iam not able to authenticate using only aci in a
>        specific entry.
> 
>       http://www.openldap.org/faq/data/cache/634.html
> 
>     The sample entry file for a use in ldap as follows,
> 
> dn: uid=ryagnik, ou=People, o=waterford.org
[..]
> objectClass: shadowAccount
> objectClass: openLDAPacl
> uid: ryagnik
> gecos: Rishi Yagnik
> OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#ou=people,o=waterford.org

>From the FAQ:
Group requires that the specified DN must contain the objectclass of
"groupOfNames", and that each member's DN is listed as a "member" attribute
of the group.

That means, you would need an entry like this:

dn: cn=group,ou=people,o=waterford,org
cn=group
member=uid=ryagnik,ou=People,o=waterford.org
member=<add other members of the group here>
objectclass=groupOfName
objectclass=top

Your OpenLDAPaci attribute then of course must look like this:

OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn,group,ou=people,o=waterford.org


> shadowLastChange: 11452
> cn: Rishi Yagnik
> homeDirectory: /home/ryagnik
> 
> ---------------------------------------slapd.conf sample file is as follows
[..]
> ------------------------------access.conf---------------------------
> access to *
>        by dn="cn=Manager,o=waterford.org" write
                ^^^^^^ BTW: there is no need to add this one here, the rootdn
		has alway write access to everything
>        by aci write

Are you sure that you really need ACIs. Maybe some static rules inside
slapd.conf would suffice.

-- 
Ralf Haferkamp

SuSE GmbH                                        - The Linux Experts -
Deutschherrnstrasse 15-19                         http://www.suse.com
D-90429 Nuernberg, Germany                        Tel: +49-911-74053-0