[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie Question on access control

To: Rob Tanner <rtanner@linfield.edu>, openldap-software@OpenLDAP.org
Subject: Re: Newbie Question on access control
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Fri, 02 Jul 2004 16:43:29 -0700
Content-disposition: inline
In-reply-to: <DBEEF48F370969C398F332D1@oberon.linfield.edu>
References: <DBEEF48F370969C398F332D1@oberon.linfield.edu>

--On Friday, July 02, 2004 4:21 PM -0700 Rob Tanner <rtanner@linfield.edu> wrote:

Hi,

I am going to be moving from the Netscape commercial server to OpenLDAP,
and while I have the ACIs in Netscape down pretty well, I'm having a bit
of trouble duplicating the access on OpenLDAP.

Right off the bat, I want to grant read access to everybody to those
entries in the "ou=people,o=linfield.edu" subtree, but I need to restrict
access to that students who have elected  to keep directory info private
don't have LDAP entries that are generally readable.

Here's the access rule I wrote:

access to dn.subtree="ou=people,o=linfield.edu"
filter="(&(!(ferpaStatus=Private))(!(entryStatus=Inactive))(ou=Student))"
 by * read

The effect of the access rule, however, is to deny access to all entries.
What am I doing wrong?


Hi Rob,

We did this same migration at Stanford.

I suggest reading my web pages:


<http://www.stanford.edu/services/directory/openldap/>

BTW, you should really change your root DN to "dc=linfield,dc=edu"

I'd be happy to provide further assistance if you have more questions after reading my pages.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- Newbie Question on access control
  - From: Rob Tanner <rtanner@linfield.edu>

Prev by Date: Re: Retrieving more results after LDAP_SIZELIMIT_EXCEEDED
Next by Date: Re: Retrieving more results after LDAP_SIZELIMIT_EXCEEDED
Index(es):
- Chronological
- Thread