[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Questions on ACL

To: "Mike O'Rourke" <mjoop@curia.op.org>, openldap-software@OpenLDAP.org
Subject: Re: Questions on ACL
From: Jeremy Kuhnash <lists@planetzed.net>
Date: Fri, 14 Feb 2003 16:01:41 -0500
In-reply-to: <se4cfd21.049@border.curia.op.org>
References: <se4cfd21.049@border.curia.op.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021212

The FAQ-O-Matic had just the example of regex I needed! Thanks for the info, Mike.

In the end this is what I was essentially looking for (for archiving purposes on the list):

access to dn="ou=([^,]+),ou=contacts,dc=example,dc=com" attrs=children,entry,u id by dn="uid=$1,ou=users,dc=example,dc=com" write by users read

The goal was to have a public place within LDAP that users could store/share contact information, and within a subtree where a search for * would be limited to outside information, and not include users. Essentially mail merge on this subtree, point your email client to ou=users for completion.

If anyone knows of a nicer way to do this for reasons unforseen, please let me know.

Jeremy Kuhnash


Mike O'Rourke wrote:

Please see: http://www.openldap.org/faq/data/cache/52.html OpenLDAP Faq-O-Matic \_OpenLDAP Software FAQ \_Configuration \_SLAPD Configuration \_Access Control \_How do I use groups as manage access controls?
Mike.
Jeremy Kuhnash <lists@planetzed.net> 02/14/03 04:49am >>>
This is the second question in a week with basically the same content:
How can you handle directory writing on a basis other than 'self' or matching a single user like manager? The openldap manual _even skips_

the 'regex' method of defining ACLs, but there must be a way to do it. I too would like users to be able to store address books in LDAP for roaming and sharing purposes ... this is huge information when being a
proponent of the use of openldap over things like Lotus Domino or Msft.
Exchange.
Thanks,
Jeremy
Etienne Goyer wrote:
Hi,
I am currently in the planification phase a large-scale installation
of

OpenLDAP for a client. The installation will be used as address book

and authentification repository for various system with 12 000 users

at
first (expected to grow near 100 000 in the future).
I have of the most of the issue sorted out (backup, replication,
schema,
etc) but I still have a few interrogations concerning ACLs.
First, can the ACL directives be stored outside of slapd.conf ? For obvious reasons, access to this file have to be pretty much
restricted.
If not, that would forbid deleguation of ACL management.
Second, is there a way to have changes in ACLs directive applied
without
restarting the service ?
Third, is there a performance penalities for having a lot of ACL
directives ?  As a side question, how are ACL processed ?  Are they
applied before the search or on the results set ?
Thanks for your insight.  Pointer to doc explaining these issue are
welcome.  So far, my search for answers to these questions have been
fruitless.

Prev by Date: Re: i have no name!
Next by Date: RE: openldap and SSL with AD
Index(es):
- Chronological
- Thread