[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access rights in ldap-tree



Hello, yes, I'm responding to my own post eh :>
>                                                                                                                              
> How do I, or whether can I, put some access controls (rules) to ldap
> into ldap itself? It doesn't matter for me whether ldap server, which
> provide access right will be the same to which access rights apply, or
> different one (other instance). 

So, finally I found this

http://www.openldap.org/faq/data/cache/448.html

and this

http://www.openldap.org/faq/data/cache/758.html

BTW Navigating via this FAQ-o-Matic is terrible, if You ask me, this
google found for me :>

So, finally there's something about keeping ldap access controls in ldap
itself. Good news for Debian users: In debian sarge/sid is
packaged openldap 2.1.26 which is compiled with ACI support.

However this sounds strange to me (this is from one of mentioned links):

"OpenLDAP 2.0 implements only in part the proposed draft and will try to
track changes to it. That means the access control information you so
carefully defined in your directory now suddenly means something
completely different from what you intended."

Does anyone had been using/uses this feature? What this stands for? :-)
Does it mean, that when I set "read" it may do "write"? :)))

BTW many thanks to jsanchez@openldap.org :-)

(http://www.openldap.org/faq/data/cache/447.html
"OpenLDAP 2.0 comes with a great many enhancements in the access control
area. These many new features are currently poorly documented. This
document is an attempt at documenting them and reflects my understanding
from the code and comments in the mailing lists. ")

Regards
Piotr