[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP: ACL : urgent



Hi,
This is my tree
c=MY
    o=A
        ou=a1
    o=B
        ou=a2
    o=C
        ou=a3

What i need to do is that only ou=a3 subtree and its children CAN ONLY be
access by A closed user group ie users under this tree should have access
toi it.
This closed user group accesses it via a username-password. Only one pair
required for the whole community of this closed user group to access /read
it.

My access list configuration in the slapd.conf is as such:-
access to dn="ou=a3,o=C,c=MY" by users read
access to * by * read

When i check via an ldap browser, i managed to achieve this, that is i can
view ou=a1, ou=a2, o=C. ou=a3 cannot be seen.
However to view the ou=a3: I did this ... reconfigure the ldap browser base
entry as o=C,c=MY and set the username and password to point to the
rootdn/rootpassword........  which should not be the case. Is there a way to
introduce a specific one just for that tree ? As Quanah mentioned u can't
lock down the tree. So how could one achieve this .. any workaround ?

My project is a migratory project. Current one is running on CriticalPath
and it could do that. Hence, I'm ensuring the look and feel is not changed
hence my requirement above. Could anyone propose any suggestions ?

.sakthi
----- Original Message -----
From: "Quanah Gibson-Mount" <quanah@stanford.edu>
To: <openldap-software@OpenLDAP.org>
Cc: "Sivasakthi d/o Sivagnanam" <sakthi@digicert.com.my>
Sent: Wednesday, June 09, 2004 7:16 AM
Subject: Re: OpenLDAP: ACL : urgent


>
>
> --On Monday, June 07, 2004 5:00 PM +0800 "Sivasakthi d/o Sivagnanam"
> <sakthi@digicert.com.my> wrote:
>
> > Hi,
> >
> > I have the following stru for my OpenLDAP DIT:-
> > ROOT has subtree A and subtree B
> >
> > How do I go about setting a specific username|password for subtree B so
> > that only a group of users is able to read only, write only and
> > read+write ?
>
> There's not a whole lot here to go on.
>
> You don't lock down a tree by username/password.  You set up acl's saying
> what group of users (or users) have access to a tree.
>
>
> Like:
>
> access to dn.base="cn=treeB,dc=digicert,dc=com,dc=my"
>        by group.base="cn=usergroup,dc=digicert,dc=com,dc=my" read
>        by dn.base="uid=sakthi,dc=digicert,dc=com,dc=my" write
>        by * break
>
> or something along those lines.  I suggest reading:
>
> man slapd.access
>
> to see how to do write only (since "write" implies read+write).
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITSS/Shared Services
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html