lør, 2002-09-07 kl. 22:26 skrev Ace Suares: > Allow me to try and answer my own question :-| > > Given a subtree "dc=example,dc=com" > > we want to be able to add sub-entries to that tree, but at the same > > time we want to protect the "dc=example,dc=com" itself. > > If possible without naming all attributes. > a real-life solution: > # this lets you auth > # and lets you modify existing admins > # the .one is to protect any (illegal) sublevels) > access to dn.one="users=managers,aservice=_managers,application=cc" > by group="group=managers,aservice=_managers,application=cc" write > by anonymous auth > # this lets you add and delete admins > access to dn="users=managers,aservice=_managers,application=cc" > attrs=children > by group="group=managers,aservice=_managers,application=cc" write > # This protects the entry > access to dn="users=managers,aservice=_managers,application=cc" > by group="group=managers,aservice=_managers,application=cc" read > Is this a good way to do it ? > Are there smarter ways ? Hoi die Ace, Actually, I'm not quite sure what the problem was in the first place. The above is how I've let a HRManagers group manage certain attributes of groups in a hierarchy below them and I find it obvious and self explanatory. I got Novell NDS stuffed into my head since its acceptance as stable in 4.1 with Novell's illogically-named concept of trees, containers and leaves, and that was the way you had to go - like it or lump it. With the Windows sysadmin GUI at that time, it was easy to get a concept of what one was doing. Again I'd point out that it's hard to get a visual idea of an LDAP hierarchy without drawing it on "paper" first. In this respect, I don't think I'd have got as far as I have with LDAP (I'm still in the kindergarten, by the way) without GQ to practice dragging and dropping on and telling me what is allowed and not. Then one can go ahead with the Openldap clients and confirm things. GQ also gives excellent instruction in what objectClasses and attributes are allowed together and what's allowed in those attributes. And why, which is the most important bit. > If you think it's the right solution, I'll make a faq entry for it. > (but with generalized identiefiers, like example.com) > _Ace Why not? But give reasons, at the same time. Best, Tony -- Tony Earnshaw The usefulness of RTFM is vastly overrated. e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
Attachment:
signature.asc
Description: Dette er en digitalt signert meldingsdel