[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL List New bee
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> > Could some one guide me how i can control access to directory tree
> > structure.
> >
> > My current acl looks like this
> > access to *
> > by self write
> > by users read
> > by anonymous read
> > by * none
> > I would like to restrict access to one particular container
>
> man slapd.access(5)
> http://www.openldap.org/doc/admin21/
First of all, please change 'by anonymous read' to 'by anonymous auth'.
authenticating always happens anoymous; and by allowing 'read' you will let
the anonymous user read all your entries ! (Not Good !)
Secondly, you need entries which have at least the 'userPassword' attribute -
else they won't have a password to login with.
Third, you need to find out what ACL you need for 'ou=test'.
Let's assume your suffix is 'dc=example,dc=com', then something like this
might work:
access to dn.regex=".*,ou=test,dc=example,dc=com"
by users read
by * none
access to *
by self write
by users read
by anonymous auth
by * none
The ORDER in which you put the ACL is important ! Reverse the order and the
second ACL is never read (because '*' also encompasses 'ou=test,...')
Be aware that the first ACL does NOT give access to the entry
'ou=test,dc=example,dc=com' itself, so the second rule is used !
_Ace
>
> -Dieter
- --
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/1+Ory7boE8xtIjURAhlLAJ9FvIad9Oaiyp/87Tz3+sMN5FLb3gCfe7nS
uTevoyiOgIxOggDE9hacEO0=
=1dk9
-----END PGP SIGNATURE-----