[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: protect entry but not children



lør, 2002-09-07 kl. 22:26 skrev Ace Suares:

> Allow me to try and answer my own question :-|

> > Given a subtree "dc=example,dc=com"
> > we want to be able to add sub-entries to that tree, but at the same 
> > time we want to protect the "dc=example,dc=com" itself.
> > If possible without naming all attributes.

> a real-life solution:

> # this lets you auth
> # and lets you modify existing admins
> # the .one is to protect any (illegal) sublevels)
> access to dn.one="users=managers,aservice=_managers,application=cc"
>    by group="group=managers,aservice=_managers,application=cc" write
>    by anonymous auth

> # this lets you add and delete admins
> access to dn="users=managers,aservice=_managers,application=cc" 
> attrs=children
>    by group="group=managers,aservice=_managers,application=cc" write

> # This protects the entry
> access to dn="users=managers,aservice=_managers,application=cc"
>    by group="group=managers,aservice=_managers,application=cc" read

> Is this a good way to do it ?
> Are there smarter ways ?

Hoi die Ace,

Actually, I'm not quite sure what the problem was in the first place.
The above is how I've let a HRManagers group manage certain attributes
of groups in a hierarchy below them and I find it obvious and self
explanatory.

I got Novell NDS stuffed into my head since its acceptance as stable in
4.1 with Novell's illogically-named concept of trees, containers and
leaves, and that was the way you had to go - like it or lump it. With
the Windows sysadmin GUI at that time, it was easy to get a concept of
what one was doing.

Again I'd point out that it's hard to get a visual idea of an LDAP
hierarchy without drawing it on "paper" first. In this respect, I don't
think I'd have got as far as I have with LDAP (I'm still in the
kindergarten, by the way) without GQ to practice dragging and dropping
on and telling me what is allowed and not. Then one can go ahead with
the Openldap clients and confirm things. GQ also gives excellent
instruction in what objectClasses and attributes are allowed together
and what's allowed in those attributes. And why, which is the most
important bit.

> If you think it's the right solution, I'll make a faq entry for it.
> (but with generalized identiefiers, like example.com)
> _Ace

Why not? But give reasons, at the same time.

Best,

Tony

-- 

Tony Earnshaw

The usefulness of RTFM is vastly overrated.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981


Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel