[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 and ACL



I tried an alternaltive: to use group access, as documented.

I set up the following group:

dn: cn=administrators,ou=Anciens,o=ANIENIB,c=FR
cn: administrators
objectclass: groupofNames
objectclass: top
member: uid=eblot,ou=Anciens,o=ANIENIB,c=FR

with the following ACL:

access to attr=userPassword
       by group="cn=administrators,ou=Anciens,o=ANIENIB,c=FR" write
       by self write
       by * auth

access to attr=uid,member
       by group="cn=administrators,ou=Anciens,o=ANIENIB,c=FR" write
       by users read
       by * auth

access to attr=sn,cn
       by group="cn=administrators,ou=Anciens,o=ANIENIB,c=FR" write
       by users read


When I use ldapsearch to access the 'cn' attribute of an object, I get no result.
(ldapsearch -D "uid=<uid>,ou=Anciens,o=ANIENIB,c=FR" -b "ou=Anciens,o=ANIENIB,c=FR" -x -W
'sn=<someone>' cn)

where <uid> represents a valid user, with a userPasswd and so on -> authentication, access and
search/result work fine with the default access rules
Not when I use my custom ACL 8(:

The OpenLDAP server (2.1) logs that it does not find the rule to access the 'entry' attribute.

Do I need to define ACL for this 'entry' attribute ? What kind of rule, to who ??

Please let me know if someone has a working setup with group access,
since I'm kinda lost, once more 8'((

Regards,
Emmanuel.




> Emmanuel Blot writes:
> > I'd like to give different access rights depending on the 'gid' value.
> >
> > gid>=10, user can write maildrop and cn
> > gid>=2, user can write maildrop, but can only read cn
> >
> > What kind of ACL rules can I use to implement this kind of control ?
> > Is there some rules for <who> that will be something like "by filter =
> > (group>=8)" ... ??
>
> I don't see how.  Both filter= and attrs= are in the <what> part of
> ACLs, and I don't think <what> can have several components.
> I think you'll have to use ACIs.
>
> --
> Hallvard
>