[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP 2.1 and ACL
I tried an alternaltive: to use group access, as documented.
I set up the following group:
dn: cn=administrators,ou=Anciens,o=ANIENIB,c=FR
cn: administrators
objectclass: groupofNames
objectclass: top
member: uid=eblot,ou=Anciens,o=ANIENIB,c=FR
with the following ACL:
access to attr=userPassword
by group="cn=administrators,ou=Anciens,o=ANIENIB,c=FR" write
by self write
by * auth
access to attr=uid,member
by group="cn=administrators,ou=Anciens,o=ANIENIB,c=FR" write
by users read
by * auth
access to attr=sn,cn
by group="cn=administrators,ou=Anciens,o=ANIENIB,c=FR" write
by users read
When I use ldapsearch to access the 'cn' attribute of an object, I get no result.
(ldapsearch -D "uid=<uid>,ou=Anciens,o=ANIENIB,c=FR" -b "ou=Anciens,o=ANIENIB,c=FR" -x -W
'sn=<someone>' cn)
where <uid> represents a valid user, with a userPasswd and so on -> authentication, access and
search/result work fine with the default access rules
Not when I use my custom ACL 8(:
The OpenLDAP server (2.1) logs that it does not find the rule to access the 'entry' attribute.
Do I need to define ACL for this 'entry' attribute ? What kind of rule, to who ??
Please let me know if someone has a working setup with group access,
since I'm kinda lost, once more 8'((
Regards,
Emmanuel.
> Emmanuel Blot writes:
> > I'd like to give different access rights depending on the 'gid' value.
> >
> > gid>=10, user can write maildrop and cn
> > gid>=2, user can write maildrop, but can only read cn
> >
> > What kind of ACL rules can I use to implement this kind of control ?
> > Is there some rules for <who> that will be something like "by filter =
> > (group>=8)" ... ??
>
> I don't see how. Both filter= and attrs= are in the <what> part of
> ACLs, and I don't think <what> can have several components.
> I think you'll have to use ACIs.
>
> --
> Hallvard
>