[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access * by * auth?

To: "Kiran Bacche" <kiran.bacche@wipro.com>
Subject: Access * by * auth?
From: "Kiran Bacche" <kiran.bacche@wipro.com>
Date: Fri, 16 May 2003 11:58:10 +0530
Cc: <openldap-software@OpenLDAP.org>
Content-class: urn:content-classes:message
Thread-index: AcMauEZMarPK4VnbRGOQVP5EqLY1GgAAMk6gAC0MNtA=
Thread-topic: Access * by * auth?

CHANGING

access * 
       by dn="o=mydomian.com" write
       by self write

TO

access * 
       by dn="o=mydomian.com" write
       by self write
	 by * auth

ALLOWED USERS WITH DIFFERENT dn TO MODIFY any attribute of any entry.

This seems NOT to be in sync with the "access control" documented by man
pages !!
Any clue on this

Thanx
- Kiran




-----Original Message-----
From: Kiran Bacche 
Sent: Thursday, May 15, 2003 1:50 PM
Cc: openldap-software@OpenLDAP.org
Subject: Access Control



I am using openlapd on redHat Linux 8.0
Rootdn is "o=mydomain.com"

And I have three entries under it.

Entry 1. "ou=Unit1, o=mydomain.com"
Entry 2. "ou=Unit2, o=mydomain.com"
Entry 3. "ou=Unit3, o=mydomain.com"

All three have userPassword attr, set thru ldappasswd utility.

Now how shud the access control in slapd.conf be so that

A)  lapdmodify -h localhost -D "ou=Unit1, o=mydomain.com" -x -w
passForUnit1 -f x.ldif
   should allow modification of Entry 1.
   But lapdmodify -h localhost -D "ou=Unit2, o=mydomain.com" -x -w
passForUnit2 -f x.ldif
   or lapdmodify -h localhost -D "ou=Unit3, o=mydomain.com" -x -w
passForUnit3 -f x.ldif
   should not.

x.ldif contains
dn: ou=Unit1, o=mydomain.com
Ou: Unit1
objectClass: organizationalUnit

B) Any one can serach the ldap database, but they have to authenticate
with their respective passwords. 


I thought of something like this
  access * 
       by dn="o=mydomina.com" write
       by self write
       by * read  

But this did not help at all!

Thanx
  Kiran

**************************Disclaimer************************************

Information contained in this E-MAIL being proprietary to Wipro Limited
is 
'privileged' and 'confidential' and intended for use only by the
individual
 or entity to which it is addressed. You are notified that any use,
copying 
or dissemination of the information contained in the E-MAIL in any
manner 
whatsoever is strictly prohibited.

************************************************************************
***


**************************Disclaimer************************************

Information contained in this E-MAIL being proprietary to Wipro Limited is 
'privileged' and 'confidential' and intended for use only by the individual
 or entity to which it is addressed. You are notified that any use, copying 
or dissemination of the information contained in the E-MAIL in any manner 
whatsoever is strictly prohibited.

***************************************************************************

Follow-Ups:
- Re: Access * by * auth?
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: remote SASL bind fails, local/simple OK
Next by Date: Re: Access * by * auth?
Index(es):
- Chronological
- Thread