[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Can I do this with OpenLDAP acls?
- To: openldap-software@OpenLDAP.org
- Subject: Can I do this with OpenLDAP acls?
- From: Steve Sobol <sjsobol@JustThe.net>
- Date: Wed, 14 Apr 2004 08:04:54 -0700
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3
Using version 2.1.22, can I do the following?
Here are two entries from my LDAP directory:
# sjsobol, users, justthe.net
dn: uid=sjsobol,ou=users,dc=justthe,dc=net
uid: sjsobol
loginShell: /bin/bash
uidNumber: 500
gidNumber: 2000
homeDirectory: /home/sjsobol
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: jtnUserAccount
cn: Steve Sobol
gecos: JTN Steven J. Sobol
masterAccount: sjsobol
# m-rrb, users, justthe.net
dn: uid=m-rrb,ou=users,dc=justthe,dc=net
uid: m-rrb
uidNumber: 518
gidNumber: 2000
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: jtnUserAccount
homeDirectory: /home/m-rrb
loginShell: /bin/bash
cn: REC.RADIO.BROADCASTING Moderator Mailbox
gecos: REC.RADIO.BROADCASTING Moderator Mailbox
masterAccount: sjsobol
jtnUserAccount is an OC of my own creation that allows the masterAccount
attribute to be added to an entry. The purpose of this attribute is to
show common ownership of own or more directory entries. My schema is as
follows... (12388 is a Private Enterprise Number assigned to me by IANA.)
objectIdentifier JTNRoot 1.3.6.1.4.1.12388
objectIdentifier JTNattributeType JTNRoot:1
objectIdentifier userAccountAttributeType JTNRoot:1.1
objectIdentifier JTNobjectClass JTNRoot:2
objectIdentifier userAccountOClassType JTNRoot:2.1
objectIdentifier JTNElement JTNRoot:3
attributeType ( userAccountAttributeType:1
NAME 'masterAccount'
DESC 'Master Account that controls one or more logins'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( userAccountOClassType:1
NAME 'jtnUserAccount'
SUP posixAccount
DESC 'JustThe.net User Account'
AUXILIARY
MUST (gecos $ masterAccount) )
Now, here's what I need to know: Can I, given the aforementioned data,
create an ACL that will allow the user account specified by masterAccount
(in this case, uid=sjsobol, since the value of masterAccount is supposed
to match the value of an existing uid attribute) to have full control of
both entries? In other words, since masterAccount=sjsobol for both entries,
can I write an ACL that will allow uid=sjsobol,ou=users,dc=justthe,dc=net
full access to both entries?
Right now if I do an ldapsearch for masterAccount=sjsobol and I bind as
uid=sjsobol,ou=users,dc=justthe,dc=net, I only get the entry for
uid=sjsobol and not the one for uid=m-rrb, so obviously, given my current
ACLs
access to attr=userPassword
by dn="cn=Manager,dc=justthe,dc=net" write
by self write
by anonymous read
by * auth
access to *
by dn="cn=Manager,dc=justthe,dc=net" write
by anonymous read
by self read
uid=sjsobol does not have permission to even read uid=m-rrb's entry.
I'm curious as to whether I can do what I'm trying to do. For a certain
LDAP entry I need to give the uid specified by the masterAccount attribute
full access, and I have absolutely no clue how to do it - or even whether I
can.
TIA,
Steve
--
JustThe.net Internet & New Media Services, Apple Valley, CA PGP: 0xE3AE35ED
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
"someone once called me a sofa, but i didn't feel compelled to rush out and buy
slip covers." -adam brower * Hiroshima '45, Chernobyl '86, Windows 98/2000/2003