[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: aci

To: "Ralf Haferkamp" <rhafer@suse.de>, <openldap-software@OpenLDAP.org>
Subject: Re: aci
From: "Raghu Babu" <rmovva@waterford.org>
Date: Tue, 26 Feb 2002 12:45:26 +0530
References: <01bc01c1bd78$1ce63a60$c50a10ac@creditsnet.com> <00c701c09f19$56fbdf80$2800a8c0@waterfordindia.org> <20020225122145.GC29094@suse.de>

Hi,

    Yes we need aci for keeping dynamic permission at  the runtime of ldap
server without
    restarting server, the right should get activted


    I have tried the solution with your approach but still I am not able to
authenticate to ldap server.

    The following entry I added in ryagnik
    OpenLDAPaci:
1#entry#grant;r,w,s,c;[all]#group#cn=admins,ou=groups,o=waterford.org
    also I created group by name cn=Admins,ou=groups,o=waterford.org
    & added ryagnik as member to that group
    I also tried
   OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#self
   OpenLDAPaci:
1#entry#grant;r,w,s,c;[all]#access-id#uid=ryagnik,ou=people,o=waterford.org

    But still I was not able to authenticate ryagnik to ldap server I am
getting the error insufficient access rights
    I think it's related with anonymous rights for ryagnik

   Waiting for u replay........

Regards,


Raghubabu



---- Original Message -----
From: Ralf Haferkamp <rhafer@suse.de>
To: <openldap-software@OpenLDAP.org>
Sent: Monday, February 25, 2002 5:51 PM
Subject: Re: aci


> On Sun, Feb 25, 2001 at 04:24:34PM +0530, Raghu Babu wrote:
> > Hi all,
> >
> >        i have configured my openldap server using following document for
> >        aci.  but iam not able to authenticate using only aci in a
> >        specific entry.
> >
> >       http://www.openldap.org/faq/data/cache/634.html
> >
> >     The sample entry file for a use in ldap as follows,
> >
> > dn: uid=ryagnik, ou=People, o=waterford.org
> [..]
> > objectClass: shadowAccount
> > objectClass: openLDAPacl
> > uid: ryagnik
> > gecos: Rishi Yagnik
> > OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#ou=people,o=waterford.org
>
> From the FAQ:
> Group requires that the specified DN must contain the objectclass of
> "groupOfNames", and that each member's DN is listed as a "member"
attribute
> of the group.
>
> That means, you would need an entry like this:
>
> dn: cn=group,ou=people,o=waterford,org
> cn=group
> member=uid=ryagnik,ou=People,o=waterford.org
> member=<add other members of the group here>
> objectclass=groupOfName
> objectclass=top
>
> Your OpenLDAPaci attribute then of course must look like this:
>
> OpenLDAPaci:
1#entry#grant;r,w,s,c;[all]#group#cn,group,ou=people,o=waterford.org
>
>
> > shadowLastChange: 11452
> > cn: Rishi Yagnik
> > homeDirectory: /home/ryagnik
> >
> > ---------------------------------------slapd.conf sample file is as
follows
> [..]
> > ------------------------------access.conf---------------------------
> > access to *
> >        by dn="cn=Manager,o=waterford.org" write
>                 ^^^^^^ BTW: there is no need to add this one here, the
rootdn
> has alway write access to everything
> >        by aci write
>
> Are you sure that you really need ACIs. Maybe some static rules inside
> slapd.conf would suffice.
>
> --
> Ralf Haferkamp
>
> SuSE GmbH                                        - The Linux Experts -
> Deutschherrnstrasse 15-19                         http://www.suse.com
> D-90429 Nuernberg, Germany                        Tel: +49-911-74053-0
>

Follow-Ups:
- Re: aci
  - From: Ralf Haferkamp <rhafer@suse.de>

References:
- Lotus Domino Schema
  - From: "Philippe BEAU" <pbeau@choup.net>
- aci
  - From: "Raghu Babu" <rmovva@waterford.org>
- Re: aci
  - From: Ralf Haferkamp <rhafer@suse.de>

Prev by Date: Re: New list member.
Next by Date: schema v2 to schema v3
Index(es):
- Chronological
- Thread