|
i read the ldappasswd....looks like it would fit my
requirement ?
i did a ldappasswd -x -D "cn=<>,c=MY"
"ou=a3,o=C,c=MY" and managed to set the password
but when i used user credential as ou=a3,o=C,c=MY
and the password in the client browser, it says insufficient access
maybe i need to rework on my ACL ... tried a few
but it didn't seem to work.
does it make sense what i'm doing here. or have i
got it wrong ?
----- Original Message -----
Sent: Thursday, November 04, 2004 11:24
AM
Subject: Re: OpenLDAP: ACL : urgent
Hi,
This is my tree
c=MY
o=A
ou=a1
o=B
ou=a2
o=C
ou=a3
What i need to
do is that only ou=a3 subtree and its children CAN ONLY be
access by A
closed user group ie users under this tree should have access
toi
it.
This closed user group accesses it via a username-password. Only one
pair
required for the whole community of this closed user group to access
/read
it.
My access list configuration in the slapd.conf is as
such:-
access to dn="ou=a3,o=C,c=MY" by users read
access to * by *
read
When i check via an ldap browser, i managed to achieve this, that
is i can
view ou=a1, ou=a2, o=C. ou=a3 cannot be seen.
However to view
the ou=a3: I did this ... reconfigure the ldap browser base
entry as
o=C,c=MY and set the username and password to point to
the
rootdn/rootpassword........ which should not be the case. Is
there a way to
introduce a specific one just for that tree ? As Quanah
mentioned u can't
lock down the tree. So how could one achieve this .. any
workaround ?
My project is a migratory project. Current one is running
on CriticalPath
and it could do that. Hence, I'm ensuring the look and feel
is not changed
hence my requirement above. Could anyone propose any
suggestions ?
.sakthi
----- Original Message -----
From: "Quanah
Gibson-Mount" <quanah@stanford.edu>
To: <openldap-software@OpenLDAP.org>
Cc:
"Sivasakthi d/o Sivagnanam" <sakthi@digicert.com.my>
Sent:
Wednesday, June 09, 2004 7:16 AM
Subject: Re: OpenLDAP: ACL :
urgent
>
>
> --On Monday, June 07, 2004 5:00 PM
+0800 "Sivasakthi d/o Sivagnanam"
> <sakthi@digicert.com.my>
wrote:
>
> > Hi,
> >
> > I have the following
stru for my OpenLDAP DIT:-
> > ROOT has subtree A and subtree
B
> >
> > How do I go about setting a specific
username|password for subtree B so
> > that only a group of users is
able to read only, write only and
> > read+write ?
>
>
There's not a whole lot here to go on.
>
> You don't lock down a
tree by username/password. You set up acl's saying
> what group of
users (or users) have access to a tree.
>
>
>
Like:
>
> access to
dn.base="cn=treeB,dc=digicert,dc=com,dc=my"
>
by group.base="cn=usergroup,dc=digicert,dc=com,dc=my"
read
> by
dn.base="uid=sakthi,dc=digicert,dc=com,dc=my"
write
> by *
break
>
> or something along those lines. I suggest
reading:
>
> man slapd.access
>
> to see how to do
write only (since "write" implies read+write).
>
>
--Quanah
>
> --
> Quanah Gibson-Mount
> Principal
Software Developer
> ITSS/Shared Services
> Stanford
University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
|