[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL and ACI



Hallo all,

I got a directory structure like
c=de
    ou=user
      uid=LDAPuser...
      uid=ou2_user...
  o=org1
    ou=ou1
    ou=ou2
  o=org2

In my ACL I got
access to dn.subtree="ou=user,c=de"
  by dn="uid=LDAPuser..." write
  by anonymous auth
  by * none
access to dn.subtree="c=de"
  by dn="uid=LDAPuser..." write
  by * read

Everything is fine so far.
The ou branches are created by a program and represents a customer. Usually every customer allows anonymous read access to their branch. But sometimes a customer don't. For I cannot change my config with every new customer I manage it by using ACIs.
So if a customer don't want anonymous read access, I create a user (e.g. uid=ou2_user) with read access to ou=ou2. I manage this by an openLDAPaci "1#entry#grant;s,c,r;[all]#access-id#uid=ou2_user..."
My ACL would now be
access to dn.subtree="c=de"
by dn="uid=LDAPuser..." write
by aci read
Now I cannot access the rest by anonymous anymore, because there is an implicit deny when no ACI is detected. It would be nice to have
if aci
by aci read
else
by * read


My question is now, how do I have to set my ACLs that if there is no ACI anonymous read access is allowed? Is this possible?
It must be something like
"1#entry#grant;s,c,r;[all]#access-id#anonymous"


Remember - I cannot change the configuration once the server is running.

Thanks for any ideas!

--

Armin Wenz