[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP: ACL : urgent



Regarding what i've explained below... i don't want a specific
username-password to lock down the ou=a3 tree. what i would like is each
user under that tree uses their respective credential ie username=dn which
contains their unique attribute say a serialnumber and password which is set
the same for everyone. Is it possible with the Advanced ACL or is there
other solutions ?

----- Original Message ----- 
From: "Sébastien Bahloul" <bahloul@linagora.com>
To: "Sivasakthi" <sakthi@digicert.com.my>
Sent: Thursday, November 04, 2004 12:16 PM
Subject: Re: OpenLDAP: ACL : urgent


> Hi,
>
> One solution is to use Advanced ACL which is a separate backend, not
> part of the official OpenLDAP Software : http://aacls.sourceforge.net/.
> It is going reimplemented as an overlay is the next two months.
>
> Regards,
>
> Sebastien.
>
> Sivasakthi a écrit :
>
> > Hi,
> > This is my tree
> > c=MY
> >     o=A
> >         ou=a1
> >     o=B
> >         ou=a2
> >     o=C
> >         ou=a3
> >
> > What i need to do is that only ou=a3 subtree and its children CAN ONLY
be
> > access by A closed user group ie users under this tree should have
access
> > toi it.
> > This closed user group accesses it via a username-password. Only one
pair
> > required for the whole community of this closed user group to access
/read
> > it.
> >
> > My access list configuration in the slapd.conf is as such:-
> > access to dn="ou=a3,o=C,c=MY" by users read
> > access to * by * read
> >
> > When i check via an ldap browser, i managed to achieve this, that is i
can
> > view ou=a1, ou=a2, o=C. ou=a3 cannot be seen.
> > However to view the ou=a3: I did this ... reconfigure the ldap browser
> > base
> > entry as o=C,c=MY and set the username and password to point to the
> > rootdn/rootpassword........  which should not be the case. Is there a
> > way to
> > introduce a specific one just for that tree ? As Quanah mentioned u
can't
> > lock down the tree. So how could one achieve this .. any workaround ?
> >
> > My project is a migratory project. Current one is running on
CriticalPath
> > and it could do that. Hence, I'm ensuring the look and feel is not
changed
> > hence my requirement above. Could anyone propose any suggestions ?
> >
> > .sakthi
> > ----- Original Message -----
> > From: "Quanah Gibson-Mount" <quanah@stanford.edu
> > <mailto:quanah@stanford.edu>>
> > To: <openldap-software@OpenLDAP.org
> > <mailto:openldap-software@OpenLDAP.org>>
> > Cc: "Sivasakthi d/o Sivagnanam" <sakthi@digicert.com.my
> > <mailto:sakthi@digicert.com.my>>
> > Sent: Wednesday, June 09, 2004 7:16 AM
> > Subject: Re: OpenLDAP: ACL : urgent
> >
> >
> > >
> > >
> > > --On Monday, June 07, 2004 5:00 PM +0800 "Sivasakthi d/o Sivagnanam"
> > > <sakthi@digicert.com.my <mailto:sakthi@digicert.com.my>> wrote:
> > >
> > > > Hi,
> > > >
> > > > I have the following stru for my OpenLDAP DIT:-
> > > > ROOT has subtree A and subtree B
> > > >
> > > > How do I go about setting a specific username|password for subtree
> > B so
> > > > that only a group of users is able to read only, write only and
> > > > read+write ?
> > >
> > > There's not a whole lot here to go on.
> > >
> > > You don't lock down a tree by username/password.  You set up acl's
> > saying
> > > what group of users (or users) have access to a tree.
> > >
> > >
> > > Like:
> > >
> > > access to dn.base="cn=treeB,dc=digicert,dc=com,dc=my"
> > >        by group.base="cn=usergroup,dc=digicert,dc=com,dc=my" read
> > >        by dn.base="uid=sakthi,dc=digicert,dc=com,dc=my" write
> > >        by * break
> > >
> > > or something along those lines.  I suggest reading:
> > >
> > > man slapd.access
> > >
> > > to see how to do write only (since "write" implies read+write).
> > >
> > > --Quanah
> > >
> > > --
> > > Quanah Gibson-Mount
> > > Principal Software Developer
> > > ITSS/Shared Services
> > > Stanford University
> > > GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
> > <http://www.stanford.edu/%7Equanah/pgp.html>
> >
>
>
> -- 
> Sébastien BAHLOUL
> Chef de projet / Expert Annuaires LDAP
> LINAGORA SA - http://www.linagora.com
> Tél.: +33(0)1 58 18 68 28 - Fax : +33(0)1 58 18 68 29
> Portable : +33 (0) 6 64 86 43 01