[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control(access to attrs=userpassword)



access to attr=userPassword,sn                            // specifically to attributes userPassword and sn(Surname) or Last Name in Microsoft Outlook
 
by dn="cn=Manager, o=sunrise.com" write       // allows the Manager or the rootdn to write into these attributes
 
by self write                                                              // allows authenticated users to write its own attributes
 
by * auth                                                                  // allows anonymous and authenticated users to be authenticated only; all able to contact to server through
                                                                                   // authentication but the access to the attributes depend the above access rights
 
access to *                                                               // all entries and attributes (left cn and mail attributes only in entry.ldif) except userPassword and sn attributes
 
by dn="cn=Manager, o=sunrise.com" write      // allows the Manager or the rootdn to write into these attributes
 
by dn=".*, o=sunrise.com" read                          // allows specific users to read into entries and  attributes(cn and mail attributes only as in entry.ldif)
 
by self write                                                             // allows authenticated users to write its own entry and attributes(cn and mail attributes only as in entry.ldif)
 
by users read                                                          // allows all authenticated users to read entries and attributes(cn and mail attributes only as in entry.ldif)
 
by anonymous read                                              // allows anonymous to read entries and attributes(cn and mail attributes only as in entry.ldif)
 
by * auth                                                                // allows anonymous and authenticated users to be authenticated only; all able to contact to server through
                                                                                 // authentication but the access to the attributes depend the above access rights 
 
Rakesh Naidu.
ZeOmega Infotech
www.zeomega.com
 
         _o
     _\<_
__(_)/(_)  life's a journey not a destination....
----- Original Message -----
From: "Matty" <mattyml@bellsouth.net>
Sent: Saturday, December 28, 2002 8:29 AM
Subject: Re: Access Control

> I just got this to work (FINALLY!!). I added:
>
> access to attrs=userpassword
>         by * auth
>
> to the top of my access declarations. Anyone know why this is required?
>
> Thanks,
> Ryan
>
> On Fri, 2002-12-27 at 21:27, Matty wrote:
> > Howdy folks,
> >
> > I have been mucking with Access Control for the past day and 1/2, and
> > cannot seem to get a cn to authenticate. I created several
> > contact objects, and a cn named email [1] which I want to allow
> > read/write access to a specific branch of my DIT. After reading through
> > the docs on www.openldap.org, I thought:
> >
> > access to dn="ou=contacts,dc=dom,dc=com"        
> >         by  dn="cn=email,dc=dom,dc=com"  write
> >
> > would allow email to read/write to the contacts branch of the tree. When
> > I run ldapsearch:
> >
> > $ ldapsearch -h ldap.dom.com -LL -D 'cn=email,dc=dom,dc=com' -b
> > 'ou=contacts,dc=dom,dc=com' '(cn=*)'
> >
> > I get:
> >
> > Bind Password:
> > ldap_simple_bind_s: Insufficient access
> >
> > Anyone happen to know what I am missing? I have experimented with
> > various things I found on google, but so far, no luck :(
> >
> > Thanks for any insight,
> > Ryan
> >
> > [1]
> > dn: cn=email,dc=dom,dc=com
> > objectClass: top
> > objectClass: organizationalRole
> > objectClass: simpleSecurityObject
> > cn: email
> > description: User allowed to update the contacts tree
> > userPassword: (MD5)94cc0f2c4100623b4efc85a534b7cd2a
> --
> Ryan Matteson - UNIX Administrator
> GPG ID: 1B52A210 2002-12-01 Ryan Matteson (Primary Key Pair)
> <matty91@bellsouth.net>
> Public Key: http://www.daemons.net/~matty/public.asc
> Detached Digital Signature: http://www.daemons.net/~matty/public.sig.asc
> Fingerprint = A0B1 298E 29C4 3F26 01D5  EDFC 3D62 281F 1B52 A210
>
>