[Date Prev][Date Next] [Chronological] [Thread] [Top]

Question on access

To: "OpenLDAP-software@OpenLDAP.org" <OpenLDAP-software@OpenLDAP.org>
Subject: Question on access
From: Harry Rüter <harry_rueter@gmx.de>
Date: Wed, 15 May 2002 12:42:50 +0200

Hi,

i'm a little confused, if i really understood the
"access-rights-concept" .

So here are my questions :

The slapd-deamon looks through all access-statements until
it finds a rule which matches.

So if an access to dn=xyz is wanted and it's not specially 
defined by an access-rule there must be an access-statement
at the end of the acces-list, which will match everything ?

Example (without the by-statements):

-----------------------------------
access to dn=xyz ... wanted

access to
dn=".*,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"

access to attr=loginShell

access to *
-----------------------------------------------------------

Only the last rule will match, correct ?

This is a strong rule,
if an access-staement matches, the other, following,
statements
will be ignored ?

--------------------------------------

The same procedure in an access-statement ?

The slapd-deamon looks through all by-statements until
it finds a rule which matches ?

Example:

dn="nsLIProfilename=harry,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"
wants to read/write its roaming-profile :

Here's the roaming-profile for harry :
----------------------------------------------------------------------------------------
owner	uid=harry,ou=users, ou=accounts, ou=mynetwork,
o=myorganization, dc=hrnet,dc=de
nsLIProfileName	harry
objectClass	top
objectClass	nsLIProfile
-----------------------------------------------------------------------------------------
Here's the user harry (without the "secret" things :o) ):

-----------------------------------------------------------------------------------------
logonTime	0
displayName	harry
objectClass	krb5Principal
objectClass	sambaAccount
objectClass	posixAccount
lmPassword	xxxxxxxxxxxxxxxxxxxx
primaryGroupID	513
acctFlags	[U          ]
userPassword	xxxxxxxxxxxxxxxxxxxxxxx
uid	harry
uidNumber	1234
cn	harry
logoffTime	2147483647
gidNumber	100
kickoffTime	2147483647
pwdLastSet	1018479633
krb5PrincipalName xxxxxxxxxxxxxxx
rid	545
homeDirectory	/home/harry
pwdCanChange	0
pwdMustChange	2147483647
ntPassword	xxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----------------------------------------------------------------------------------------

Here ist the access-rule which belongs to the roaming
profiles :

------------------------------------------------------------------
access to
dn=".*,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"
  by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
write
  by dn="uid=ldapAdmin.+\+realm=HRNET.DE" write
  by dnattr=owner write
  by * none
--------------------------------------------------------------------------------

Will harry get write-access to it's profile ?

Generally there's the following rule, when editing
the access-statements :

First everything specialized, then the more general things
(with * in it),
right ?

Last question:

How do i read those by-statements :

 by dn="uid=ldapAdmin.+\+realm=HRNET.DE" write

What's the matching rule for this ?
What's going on with the "." ?

Couldn't i write 

 by dn="uid=ldapAdmin@HRNET.DE" write

directly ?



greets Harry

Follow-Ups:
- Re: Question on access
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: Re: Schema for university courses?
Next by Date: configuring pam for LDAP
Index(es):
- Chronological
- Thread