[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question - my solution



Everyone,
thanks for your help. i finally figured out how to do it.

below is an acl portion from the slave's slapd.conf:

[...]

defaultaccess none

access to dn="(.*,)*ou=origin,dc=myorg,dc=org"
       by dn="cn=origin-service,ou=Services,dc=myorg,dc=org" read

access to dn="(.*,)*ou=target,dc=myorg,dc=org"
       by dn="cn=target-service,ou=Services,dc=myorg,dc=org" read

access to *
       by dn="cn=replicator,dc=myorg,dc=org" write
       by users read
       by * auth

[...]

where replicator is *not* a rootdn. this setup allows:
1) prevents anonymous access of any data within this dir
2) allows replicator to modify anything within this dir
3) lets appropriate services read (slave is read-only by definition) from their contexts. dn="(.*,)*ou=origin,dc=myorg,dc=org" is a catch-all for both dn="uid=user1,ou=origin,dc=myorg,dc=org" as well as dn="ou=origin,dc=myorg,dc=org" as well as anything underneath it