[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP: ACL : urgent



managed to solve my problem..........

my solution basically is yes, getting the rite ACL....after trial n
error...got the rite combination
created ldappasswd for dn="<attr>,cn=X,ou=a3,o=C,c=MY"

access to dn.base="ou=a3,o=C,c=MY" by users read
access to dn.children="cn=X,ou=a3,o=C,c=MY"
    by anonymous auth
    by * none
access to * by * read

.sakthi
----- Original Message ----- 
From: "Sivasakthi" <sakthi@digicert.com.my>
To: "Sébastien Bahloul" <bahloul@linagora.com>; "OpenLDAP Software List"
<openldap-software@OpenLDAP.org>
Sent: Saturday, November 06, 2004 9:37 AM
Subject: Re: OpenLDAP: ACL : urgent


> Regarding what i've explained below... i don't want a specific
> username-password to lock down the ou=a3 tree. what i would like is each
> user under that tree uses their respective credential ie username=dn which
> contains their unique attribute say a serialnumber and password which is
set
> the same for everyone. Is it possible with the Advanced ACL or is there
> other solutions ?
>
> ----- Original Message ----- 
> From: "Sébastien Bahloul" <bahloul@linagora.com>
> To: "Sivasakthi" <sakthi@digicert.com.my>
> Sent: Thursday, November 04, 2004 12:16 PM
> Subject: Re: OpenLDAP: ACL : urgent
>
>
> > Hi,
> >
> > One solution is to use Advanced ACL which is a separate backend, not
> > part of the official OpenLDAP Software : http://aacls.sourceforge.net/.
> > It is going reimplemented as an overlay is the next two months.
> >
> > Regards,
> >
> > Sebastien.
> >
> > Sivasakthi a écrit :
> >
> > > Hi,
> > > This is my tree
> > > c=MY
> > >     o=A
> > >         ou=a1
> > >     o=B
> > >         ou=a2
> > >     o=C
> > >         ou=a3
> > >
> > > What i need to do is that only ou=a3 subtree and its children CAN ONLY
> be
> > > access by A closed user group ie users under this tree should have
> access
> > > toi it.
> > > This closed user group accesses it via a username-password. Only one
> pair
> > > required for the whole community of this closed user group to access
> /read
> > > it.
> > >
> > > My access list configuration in the slapd.conf is as such:-
> > > access to dn="ou=a3,o=C,c=MY" by users read
> > > access to * by * read
> > >
> > > When i check via an ldap browser, i managed to achieve this, that is i
> can
> > > view ou=a1, ou=a2, o=C. ou=a3 cannot be seen.
> > > However to view the ou=a3: I did this ... reconfigure the ldap browser
> > > base
> > > entry as o=C,c=MY and set the username and password to point to the
> > > rootdn/rootpassword........  which should not be the case. Is there a
> > > way to
> > > introduce a specific one just for that tree ? As Quanah mentioned u
> can't
> > > lock down the tree. So how could one achieve this .. any workaround ?
> > >
> > > My project is a migratory project. Current one is running on
> CriticalPath
> > > and it could do that. Hence, I'm ensuring the look and feel is not
> changed
> > > hence my requirement above. Could anyone propose any suggestions ?
> > >
> > > .sakthi
> > > ----- Original Message -----
> > > From: "Quanah Gibson-Mount" <quanah@stanford.edu
> > > <mailto:quanah@stanford.edu>>
> > > To: <openldap-software@OpenLDAP.org
> > > <mailto:openldap-software@OpenLDAP.org>>
> > > Cc: "Sivasakthi d/o Sivagnanam" <sakthi@digicert.com.my
> > > <mailto:sakthi@digicert.com.my>>
> > > Sent: Wednesday, June 09, 2004 7:16 AM
> > > Subject: Re: OpenLDAP: ACL : urgent
> > >
> > >
> > > >
> > > >
> > > > --On Monday, June 07, 2004 5:00 PM +0800 "Sivasakthi d/o Sivagnanam"
> > > > <sakthi@digicert.com.my <mailto:sakthi@digicert.com.my>> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > I have the following stru for my OpenLDAP DIT:-
> > > > > ROOT has subtree A and subtree B
> > > > >
> > > > > How do I go about setting a specific username|password for subtree
> > > B so
> > > > > that only a group of users is able to read only, write only and
> > > > > read+write ?
> > > >
> > > > There's not a whole lot here to go on.
> > > >
> > > > You don't lock down a tree by username/password.  You set up acl's
> > > saying
> > > > what group of users (or users) have access to a tree.
> > > >
> > > >
> > > > Like:
> > > >
> > > > access to dn.base="cn=treeB,dc=digicert,dc=com,dc=my"
> > > >        by group.base="cn=usergroup,dc=digicert,dc=com,dc=my" read
> > > >        by dn.base="uid=sakthi,dc=digicert,dc=com,dc=my" write
> > > >        by * break
> > > >
> > > > or something along those lines.  I suggest reading:
> > > >
> > > > man slapd.access
> > > >
> > > > to see how to do write only (since "write" implies read+write).
> > > >
> > > > --Quanah
> > > >
> > > > --
> > > > Quanah Gibson-Mount
> > > > Principal Software Developer
> > > > ITSS/Shared Services
> > > > Stanford University
> > > > GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
> > > <http://www.stanford.edu/%7Equanah/pgp.html>
> > >
> >
> >
> > -- 
> > Sébastien BAHLOUL
> > Chef de projet / Expert Annuaires LDAP
> > LINAGORA SA - http://www.linagora.com
> > Tél.: +33(0)1 58 18 68 28 - Fax : +33(0)1 58 18 68 29
> > Portable : +33 (0) 6 64 86 43 01
>