[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fw: slapd.conf Access Question

To: openldap-software@OpenLDAP.org
Subject: Re: Fw: slapd.conf Access Question
From: M Butcher <mbutcher@grcomputing.net>
Date: 06 Jun 2003 14:23:18 -0600
In-reply-to: <OFC920442F.8D2ABB51-ON85256D3D.0063B3CD-85256D3D.00640C23@roadwaynextday.com>
Organization:
References: <OFC920442F.8D2ABB51-ON85256D3D.0063B3CD-85256D3D.00640C23@roadwaynextday.com>

You'll want to change both rules ("access to *" and "access to
attr=userPassword"). Note that the rule does not need (maybe doesn't
allow) 'dn' in the by line.

Matt

On Fri, 2003-06-06 at 12:12, Mike Carpenter wrote:
> I believe so, but just to make sure...
> 
> I should change the access rule in the conf file to say:
> access * by
> dn.group/organizationalRole/roleOccupant="cn=Admins,o=myorg,c=us"
> write
> 
> My object for the organizationalRole is exactly as you have listed
> below, so on that I was on the right path.
> ----- Forwarded by Mike Carpenter/Arnold Industries on 06/06/2003
> 02:08 PM -----
> 
> M Butcher
> <mbutcher@grcomputing.net>
> 
> 06/06/2003 12:41 PM
>         
>         To:        Mike
> Carpenter
> <MCarpenter@roadwaynextday.com>
>         cc:      
> openldap-software@OpenLDAP.org
>         Subject:      
> Re: slapd.conf Access
> Question
> 
> 
> If I understand you correctly, cn=Admins,o=myorg,c=us is a role, but
> your rule is treating it as a base under which DN's would belong (e.g.
> uid=me,cn=Admins,o=myorg,c=us). What you want is a rule that searches
> the attributes of that DN and tests for a matching roleOccupant, like
> this:
> 
> by group/organizationalRole/roleOccupant="cn=Admins,o=myorg,c=us"
> write
> 
> What this rule says is that "cn=Admin..." is a group of objectclass
> organizationalRole, where each member is identified by the attribute
> roleOccupant.
> 
> So... your record should look like this (stripped down -- you prob.
> want/need more attributes):
> 
> dn: cn=Admins,o=myorg,c=us
> objectClass: organizationalRole
> cn: Admins
> roleOccupant: cn=me,o=myorg,c=us
> roleOccupant: cn=you,o=myorg,c=us
> ...
> 
> Does that make sense?
> 
> Matt
> 
> 
> On Fri, 2003-06-06 at 08:16, Mike Carpenter wrote:
> > I just wanted to take a moment to thank everyone who has answered my
> > questions.  You have really helped get my LDAP project off the
> ground.
> > 
> > However, now another question has arisen.
> > 
> > In the slapd.conf file, I am trying to set-up the access rights so
> my
> > administrators don't need to authenticate using the rootdn.
> > 
> > My access rules are as follows:
> > 
> > access to attr=userPassword
> >         by self write
> >         by anonymous auth
> >         by dn.base="cn=Admins,o=myorg,c=us" write
> >         by * none
> > 
> > access to *
> >         by self write
> >         by dn.base="cn=Admins,o=myorg,c=us" write
> >         by * read
> > 
> > cn=Admins,o=myorg,c=us being an organization role with several
> > roleoccupant attributes, each one containing a DN of a directory
> > administrator.
> > 
> > It appears that the 1st access rule is working correctly, since
> people
> > in the group can see and manage the password while people outside
> the
> > group can not see the attribute, however the second access rule is
> not
> > working at all.   It appears that everyone only has read access
> except
> > the rootdn of course.   
> > 
> > Thanks again.
> >  
> -- 
> M Butcher <mbutcher@grcomputing.net>
-- 
M Butcher <mbutcher@grcomputing.net>

References:
- Fw: slapd.conf Access Question
  - From: "Mike Carpenter" <MCarpenter@roadwaynextday.com>

Prev by Date: Re: [SOLVED] OpenLDAP 2.1.19 and ACLs
Next by Date: RE: Problems using HDB...
Index(es):
- Chronological
- Thread