[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL List New bee



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



> > Could some one guide me how i can control access to directory tree
> > structure.
> >
> > My current acl looks like this
> > access to *
> >         by self write
> >         by users read
> >         by anonymous read
> >         by * none
> > I would like to restrict access to one particular container
>
> man slapd.access(5)
> http://www.openldap.org/doc/admin21/

First of all, please change 'by anonymous read' to 'by anonymous auth'.
authenticating always happens anoymous; and by allowing 'read' you will let 
the anonymous user read all your entries ! (Not Good !)

Secondly, you need entries which have at least the 'userPassword' attribute - 
else they won't have a password to login with.

Third, you need to find out what ACL you need for 'ou=test'.
Let's assume your suffix is 'dc=example,dc=com', then something like this 
might work:

access to dn.regex=".*,ou=test,dc=example,dc=com"
	by users read
	by * none

access to *
         by self write
         by users read
         by anonymous auth
         by * none

The ORDER in which you put the ACL is important ! Reverse the order and the 
second ACL is never read (because '*' also encompasses 'ou=test,...')

Be aware that the first ACL does NOT give access to the entry 
'ou=test,dc=example,dc=com' itself, so the second rule is used !

_Ace

>
> -Dieter

- -- 
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/1+Ory7boE8xtIjURAhlLAJ9FvIad9Oaiyp/87Tz3+sMN5FLb3gCfe7nS
uTevoyiOgIxOggDE9hacEO0=
=1dk9
-----END PGP SIGNATURE-----