[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Questions on ACL



The FAQ-O-Matic had just the example of regex I needed! Thanks for the info, Mike.

In the end this is what I was essentially looking for (for archiving purposes on the list):


access to dn="ou=([^,]+),ou=contacts,dc=example,dc=com" attrs=children,entry,u
id
by dn="uid=$1,ou=users,dc=example,dc=com" write
by users read



The goal was to have a public place within LDAP that users could store/share contact information, and within a subtree where a search for * would be limited to outside information, and not include users. Essentially mail merge on this subtree, point your email client to ou=users for completion.


If anyone knows of a nicer way to do this for reasons unforseen, please let me know.

Jeremy Kuhnash


Mike O'Rourke wrote:

Please see:
http://www.openldap.org/faq/data/cache/52.html OpenLDAP Faq-O-Matic
\_OpenLDAP Software FAQ
\_Configuration
\_SLAPD Configuration
\_Access Control
\_How do I use groups as manage access controls?


Mike.



Jeremy Kuhnash <lists@planetzed.net> 02/14/03 04:49am >>>


This is the second question in a week with basically the same content:

How can you handle directory writing on a basis other than 'self' or matching a single user like manager? The openldap manual _even skips_

the 'regex' method of defining ACLs, but there must be a way to do it.
I too would like users to be able to store address books in LDAP for roaming and sharing purposes ... this is huge information when being a


proponent of the use of openldap over things like Lotus Domino or Msft.

Exchange.

Thanks,
Jeremy


Etienne Goyer wrote:



Hi,

I am currently in the planification phase a large-scale installation


of

OpenLDAP for a client. The installation will be used as address book





and authentification repository for various system with 12 000 users


at


first (expected to grow near 100 000 in the future).

I have of the most of the issue sorted out (backup, replication,


schema,

etc) but I still have a few interrogations concerning ACLs.

First, can the ACL directives be stored outside of slapd.conf ? For
obvious reasons, access to this file have to be pretty much


restricted.


If not, that would forbid deleguation of ACL management.

Second, is there a way to have changes in ACLs directive applied


without


restarting the service ?

Third, is there a performance penalities for having a lot of ACL
directives ?  As a side question, how are ACL processed ?  Are they
applied before the search or on the results set ?

Thanks for your insight.  Pointer to doc explaining these issue are
welcome.  So far, my search for answers to these questions have been
fruitless.