[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP: ACL : urgent
Hi,
If you have only three trees, AACLs are not the right stuff.
But if your trees design is more complex and you want to be able to modify the rights,
just by modifying entry values, AACLs are fine. Look at your example :
c=MY
o=A
ou=a1
uid=john
o=B
ou=a2
o=C
ou=a3
with an attribute in o=A,c=MY which specify the accessible trees, something like
dn: o=A,c=MY
<.../>
access: o=B,c=MY
<.../>
In this case, AACLs could be nice. Just for fun, the AACLs expression :
and((and("o=A,c=MY",sup("$authorDN",0))).access,sup("$targetDN",0))
With this expression, you can link the john entry and any entry which is under the o=B,c=MY.
A more "beautiful" example would be : if you design your trees to have a ou=Users
branch, then the relation would be more generic :
and((sup("$authorDN",2)).access,sup("$targetDN",0))
Regards,
Sébastien.
Sivasakthi a écrit :
managed to solve my problem..........
my solution basically is yes, getting the rite ACL....after trial n
error...got the rite combination
created ldappasswd for dn="<attr>,cn=X,ou=a3,o=C,c=MY"
access to dn.base="ou=a3,o=C,c=MY" by users read
access to dn.children="cn=X,ou=a3,o=C,c=MY"
by anonymous auth
by * none
access to * by * read
.sakthi
----- Original Message -----
From: "Sivasakthi" <sakthi@digicert.com.my>
To: "Sébastien Bahloul" <bahloul@linagora.com>; "OpenLDAP Software List"
<openldap-software@OpenLDAP.org>
Sent: Saturday, November 06, 2004 9:37 AM
Subject: Re: OpenLDAP: ACL : urgent
Regarding what i've explained below... i don't want a specific
username-password to lock down the ou=a3 tree. what i would like is each
user under that tree uses their respective credential ie username=dn which
contains their unique attribute say a serialnumber and password which is
set
the same for everyone. Is it possible with the Advanced ACL or is there
other solutions ?
----- Original Message -----
From: "Sébastien Bahloul" <bahloul@linagora.com>
To: "Sivasakthi" <sakthi@digicert.com.my>
Sent: Thursday, November 04, 2004 12:16 PM
Subject: Re: OpenLDAP: ACL : urgent
Hi,
One solution is to use Advanced ACL which is a separate backend, not
part of the official OpenLDAP Software : http://aacls.sourceforge.net/.
It is going reimplemented as an overlay is the next two months.
Regards,
Sebastien.
Sivasakthi a écrit :
Hi,
This is my tree
c=MY
o=A
ou=a1
o=B
ou=a2
o=C
ou=a3
What i need to do is that only ou=a3 subtree and its children CAN ONLY
be
access by A closed user group ie users under this tree should have
access
toi it.
This closed user group accesses it via a username-password. Only one
pair
required for the whole community of this closed user group to access
/read
it.
My access list configuration in the slapd.conf is as such:-
access to dn="ou=a3,o=C,c=MY" by users read
access to * by * read
When i check via an ldap browser, i managed to achieve this, that is i
can
view ou=a1, ou=a2, o=C. ou=a3 cannot be seen.
However to view the ou=a3: I did this ... reconfigure the ldap browser
base
entry as o=C,c=MY and set the username and password to point to the
rootdn/rootpassword........ which should not be the case. Is there a
way to
introduce a specific one just for that tree ? As Quanah mentioned u
can't
lock down the tree. So how could one achieve this .. any workaround ?
My project is a migratory project. Current one is running on
CriticalPath
and it could do that. Hence, I'm ensuring the look and feel is not
changed
hence my requirement above. Could anyone propose any suggestions ?
.sakthi
----- Original Message -----
From: "Quanah Gibson-Mount" <quanah@stanford.edu
<mailto:quanah@stanford.edu>>
To: <openldap-software@OpenLDAP.org
<mailto:openldap-software@OpenLDAP.org>>
Cc: "Sivasakthi d/o Sivagnanam" <sakthi@digicert.com.my
<mailto:sakthi@digicert.com.my>>
Sent: Wednesday, June 09, 2004 7:16 AM
Subject: Re: OpenLDAP: ACL : urgent
--On Monday, June 07, 2004 5:00 PM +0800 "Sivasakthi d/o Sivagnanam"
<sakthi@digicert.com.my <mailto:sakthi@digicert.com.my>> wrote:
Hi,
I have the following stru for my OpenLDAP DIT:-
ROOT has subtree A and subtree B
How do I go about setting a specific username|password for subtree
B so
that only a group of users is able to read only, write only and
read+write ?
There's not a whole lot here to go on.
You don't lock down a tree by username/password. You set up acl's
saying
what group of users (or users) have access to a tree.
Like:
access to dn.base="cn=treeB,dc=digicert,dc=com,dc=my"
by group.base="cn=usergroup,dc=digicert,dc=com,dc=my" read
by dn.base="uid=sakthi,dc=digicert,dc=com,dc=my" write
by * break
or something along those lines. I suggest reading:
man slapd.access
to see how to do write only (since "write" implies read+write).
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
<http://www.stanford.edu/%7Equanah/pgp.html>
--
Sébastien BAHLOUL
Chef de projet / Expert Annuaires LDAP
LINAGORA SA - http://www.linagora.com
Tél.: +33(0)1 58 18 68 28 - Fax : +33(0)1 58 18 68 29
Portable : +33 (0) 6 64 86 43 01
--
Sébastien BAHLOUL
Chef de projet / Expert Annuaires LDAP
LINAGORA SA - http://www.linagora.com
Tél.: +33(0)1 58 18 68 28 - Fax : +33(0)1 58 18 68 29
Portable : +33 (0) 6 64 86 43 01