[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf access statement

To: openldap-software@OpenLDAP.org
Subject: Re: slapd.conf access statement
From: Brenda Bell <k15a-list-openldap@mail.theotherbell.com>
Date: Sat, 11 Jan 2003 17:22:16 -0500
References: <9720C500-25A4-11D7-A6F0-00039385FC52@saffron.net>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01

Jason Parsons wrote:

I have LDAP entries that look something like this:
dn: ou=blah.net,ou=accounts,dc=example,dc=net
    userpassword: password
dn: cn=one,ou=blah.net,ou=accounts,dc=example,dc=net
dn: ou=something.net,ou=accounts,dc=example,dc=net
    userpassword: password2
dn: cn=one,ou=something.net,ou=accounts,dc=example,dc=net
dn: cn=two,ou=something.net,ou=accounts,dc=example,dc=net
I would like to allow a user identified by the userpassword to have write access to all of the entries "under" that DN (cn=one, cd=two, ..."). I'm not exactly sure how to do this in slapd.conf. Can someone point me to syntax for the 'access' statements here?

An earlier post cleared up my access confusion so well I saved a copy and have used it several times as a cheat sheet. They used an example to explain what's happening. I quote:

access to attr=userPassword,sn
// specifically to attributes userPassword and sn(Surname) or Last Name
// in Microsoft Outlook

by dn="cn=Manager, o=sunrise.com" write
// allows the Manager or the rootdn to write into these attributes

by self write // allows authenticated users to write its own attributes

by * auth // allows anonymous and authenticated users to be authenticated only; // all able to contact to server through // authentication but the access to the attributes depend // the above access rights

access to * // all entries and attributes (left cn and mail attributes // only in entry.ldif) except userPassword and sn attributes

by dn="cn=Manager, o=sunrise.com" write
// allows the Manager or the rootdn to write into these attributes

by dn=".*, o=sunrise.com" read
// allows specific users to read into entries and
// attributes(cn and mail attributes only as in entry.ldif)

by self write // allows authenticated users to write its own entry and // attributes(cn and mail attributes only as in entry.ldif)

by users read // allows all authenticated users to read entries and // attributes(cn and mail attributes only as in entry.ldif)

by anonymous read
// allows anonymous to read entries and
// attributes(cn and mail attributes only as in entry.ldif)

by * auth // allows anonymous and authenticated users to be // authenticated only; all able to contact to server through // authentication but the access to the attributes depend // the above access rights

Thanks Rakesh!!!

References:
- slapd.conf access statement
  - From: Jason Parsons <jparsons-lists@saffron.net>

Prev by Date: Re: Anyone on this list patient with stupid questions?
Next by Date: Solaris 8 and test008-concurrency fails
Index(es):
- Chronological
- Thread