[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL and ACI
- To: openldap-software@OpenLDAP.org
- Subject: ACL and ACI
- From: Armin Wenz <awenz@mtgnet.de>
- Date: Mon, 23 Sep 2002 16:05:12 +0200
- Organization: media transfer GmbH
- User-agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.1) Gecko/20020826
Hallo all,
I got a directory structure like
c=de
ou=user
uid=LDAPuser...
uid=ou2_user...
o=org1
ou=ou1
ou=ou2
o=org2
In my ACL I got
access to dn.subtree="ou=user,c=de"
by dn="uid=LDAPuser..." write
by anonymous auth
by * none
access to dn.subtree="c=de"
by dn="uid=LDAPuser..." write
by * read
Everything is fine so far.
The ou branches are created by a program and represents a customer.
Usually every customer allows anonymous read access to their branch. But
sometimes a customer don't. For I cannot change my config with every new
customer I manage it by using ACIs.
So if a customer don't want anonymous read access, I create a user (e.g.
uid=ou2_user) with read access to ou=ou2. I manage this by an
openLDAPaci "1#entry#grant;s,c,r;[all]#access-id#uid=ou2_user..."
My ACL would now be
access to dn.subtree="c=de"
by dn="uid=LDAPuser..." write
by aci read
Now I cannot access the rest by anonymous anymore, because there is an
implicit deny when no ACI is detected. It would be nice to have
if aci
by aci read
else
by * read
My question is now, how do I have to set my ACLs that if there is no ACI
anonymous read access is allowed? Is this possible?
It must be something like
"1#entry#grant;s,c,r;[all]#access-id#anonymous"
Remember - I cannot change the configuration once the server is running.
Thanks for any ideas!
--
Armin Wenz