[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL question - my solution
Everyone,
thanks for your help. i finally figured out how to do it.
below is an acl portion from the slave's slapd.conf:
[...]
defaultaccess none
access to dn="(.*,)*ou=origin,dc=myorg,dc=org"
by dn="cn=origin-service,ou=Services,dc=myorg,dc=org" read
access to dn="(.*,)*ou=target,dc=myorg,dc=org"
by dn="cn=target-service,ou=Services,dc=myorg,dc=org" read
access to *
by dn="cn=replicator,dc=myorg,dc=org" write
by users read
by * auth
[...]
where replicator is *not* a rootdn. this setup allows:
1) prevents anonymous access of any data within this dir
2) allows replicator to modify anything within this dir
3) lets appropriate services read (slave is read-only by definition)
from their contexts. dn="(.*,)*ou=origin,dc=myorg,dc=org" is a catch-all
for both dn="uid=user1,ou=origin,dc=myorg,dc=org" as well as
dn="ou=origin,dc=myorg,dc=org" as well as anything underneath it