[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP: ACL : urgent



thx Sebastien... should the requirement get complex in the future, i will
definitely keep in mind on the AACL functionality.

.sakthi
----- Original Message ----- 
From: "Sébastien Bahloul" <bahloul@linagora.com>
To: "Sivasakthi" <sakthi@digicert.com.my>
Cc: "OpenLDAP Software List" <openldap-software@OpenLDAP.org>
Sent: Monday, November 08, 2004 6:13 PM
Subject: Re: OpenLDAP: ACL : urgent


> Hi,
>
> If you have only three trees, AACLs are not the right stuff.
> But if your trees design is more complex and you want to be able to modify
the rights,
> just by modifying entry values, AACLs are fine. Look at your example :
>
> c=MY
>     o=A
>         ou=a1
>              uid=john
>     o=B
>         ou=a2
>     o=C
>         ou=a3
>
> with an attribute in o=A,c=MY which specify the accessible trees,
something like
>
> dn: o=A,c=MY
> <.../>
> access: o=B,c=MY
> <.../>
>
> In this case, AACLs could be nice. Just for fun, the AACLs expression :
>
> and((and("o=A,c=MY",sup("$authorDN",0))).access,sup("$targetDN",0))
>
> With this expression, you can link the john entry and any entry which is
under the o=B,c=MY.
>
> A more "beautiful" example would be : if you design your trees to have a
ou=Users
> branch, then the relation would be more generic :
>
> and((sup("$authorDN",2)).access,sup("$targetDN",0))
>
> Regards,
>
> Sébastien.
>
>
> Sivasakthi a écrit :
>
> >managed to solve my problem..........
> >
> >my solution basically is yes, getting the rite ACL....after trial n
> >error...got the rite combination
> >created ldappasswd for dn="<attr>,cn=X,ou=a3,o=C,c=MY"
> >
> >access to dn.base="ou=a3,o=C,c=MY" by users read
> >access to dn.children="cn=X,ou=a3,o=C,c=MY"
> >    by anonymous auth
> >    by * none
> >access to * by * read
> >
> >.sakthi
> >----- Original Message ----- 
> >From: "Sivasakthi" <sakthi@digicert.com.my>
> >To: "Sébastien Bahloul" <bahloul@linagora.com>; "OpenLDAP Software List"
> ><openldap-software@OpenLDAP.org>
> >Sent: Saturday, November 06, 2004 9:37 AM
> >Subject: Re: OpenLDAP: ACL : urgent
> >
> >
> >
> >
> >>Regarding what i've explained below... i don't want a specific
> >>username-password to lock down the ou=a3 tree. what i would like is each
> >>user under that tree uses their respective credential ie username=dn
which
> >>contains their unique attribute say a serialnumber and password which is
> >>
> >>
> >set
> >
> >
> >>the same for everyone. Is it possible with the Advanced ACL or is there
> >>other solutions ?
> >>
> >>----- Original Message ----- 
> >>From: "Sébastien Bahloul" <bahloul@linagora.com>
> >>To: "Sivasakthi" <sakthi@digicert.com.my>
> >>Sent: Thursday, November 04, 2004 12:16 PM
> >>Subject: Re: OpenLDAP: ACL : urgent
> >>
> >>
> >>
> >>
> >>>Hi,
> >>>
> >>>One solution is to use Advanced ACL which is a separate backend, not
> >>>part of the official OpenLDAP Software : http://aacls.sourceforge.net/.
> >>>It is going reimplemented as an overlay is the next two months.
> >>>
> >>>Regards,
> >>>
> >>>Sebastien.
> >>>
> >>>Sivasakthi a écrit :
> >>>
> >>>
> >>>
> >>>>Hi,
> >>>>This is my tree
> >>>>c=MY
> >>>>    o=A
> >>>>        ou=a1
> >>>>    o=B
> >>>>        ou=a2
> >>>>    o=C
> >>>>        ou=a3
> >>>>
> >>>>What i need to do is that only ou=a3 subtree and its children CAN ONLY
> >>>>
> >>>>
> >>be
> >>
> >>
> >>>>access by A closed user group ie users under this tree should have
> >>>>
> >>>>
> >>access
> >>
> >>
> >>>>toi it.
> >>>>This closed user group accesses it via a username-password. Only one
> >>>>
> >>>>
> >>pair
> >>
> >>
> >>>>required for the whole community of this closed user group to access
> >>>>
> >>>>
> >>/read
> >>
> >>
> >>>>it.
> >>>>
> >>>>My access list configuration in the slapd.conf is as such:-
> >>>>access to dn="ou=a3,o=C,c=MY" by users read
> >>>>access to * by * read
> >>>>
> >>>>When i check via an ldap browser, i managed to achieve this, that is i
> >>>>
> >>>>
> >>can
> >>
> >>
> >>>>view ou=a1, ou=a2, o=C. ou=a3 cannot be seen.
> >>>>However to view the ou=a3: I did this ... reconfigure the ldap browser
> >>>>base
> >>>>entry as o=C,c=MY and set the username and password to point to the
> >>>>rootdn/rootpassword........  which should not be the case. Is there a
> >>>>way to
> >>>>introduce a specific one just for that tree ? As Quanah mentioned u
> >>>>
> >>>>
> >>can't
> >>
> >>
> >>>>lock down the tree. So how could one achieve this .. any workaround ?
> >>>>
> >>>>My project is a migratory project. Current one is running on
> >>>>
> >>>>
> >>CriticalPath
> >>
> >>
> >>>>and it could do that. Hence, I'm ensuring the look and feel is not
> >>>>
> >>>>
> >>changed
> >>
> >>
> >>>>hence my requirement above. Could anyone propose any suggestions ?
> >>>>
> >>>>.sakthi
> >>>>----- Original Message -----
> >>>>From: "Quanah Gibson-Mount" <quanah@stanford.edu
> >>>><mailto:quanah@stanford.edu>>
> >>>>To: <openldap-software@OpenLDAP.org
> >>>><mailto:openldap-software@OpenLDAP.org>>
> >>>>Cc: "Sivasakthi d/o Sivagnanam" <sakthi@digicert.com.my
> >>>><mailto:sakthi@digicert.com.my>>
> >>>>Sent: Wednesday, June 09, 2004 7:16 AM
> >>>>Subject: Re: OpenLDAP: ACL : urgent
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>--On Monday, June 07, 2004 5:00 PM +0800 "Sivasakthi d/o Sivagnanam"
> >>>>><sakthi@digicert.com.my <mailto:sakthi@digicert.com.my>> wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Hi,
> >>>>>>
> >>>>>>I have the following stru for my OpenLDAP DIT:-
> >>>>>>ROOT has subtree A and subtree B
> >>>>>>
> >>>>>>How do I go about setting a specific username|password for subtree
> >>>>>>
> >>>>>>
> >>>>B so
> >>>>
> >>>>
> >>>>>>that only a group of users is able to read only, write only and
> >>>>>>read+write ?
> >>>>>>
> >>>>>>
> >>>>>There's not a whole lot here to go on.
> >>>>>
> >>>>>You don't lock down a tree by username/password.  You set up acl's
> >>>>>
> >>>>>
> >>>>saying
> >>>>
> >>>>
> >>>>>what group of users (or users) have access to a tree.
> >>>>>
> >>>>>
> >>>>>Like:
> >>>>>
> >>>>>access to dn.base="cn=treeB,dc=digicert,dc=com,dc=my"
> >>>>>       by group.base="cn=usergroup,dc=digicert,dc=com,dc=my" read
> >>>>>       by dn.base="uid=sakthi,dc=digicert,dc=com,dc=my" write
> >>>>>       by * break
> >>>>>
> >>>>>or something along those lines.  I suggest reading:
> >>>>>
> >>>>>man slapd.access
> >>>>>
> >>>>>to see how to do write only (since "write" implies read+write).
> >>>>>
> >>>>>--Quanah
> >>>>>
> >>>>>--
> >>>>>Quanah Gibson-Mount
> >>>>>Principal Software Developer
> >>>>>ITSS/Shared Services
> >>>>>Stanford University
> >>>>>GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
> >>>>>
> >>>>>
> >>>><http://www.stanford.edu/%7Equanah/pgp.html>
> >>>>
> >>>>
> >>>>
> >>>-- 
> >>>Sébastien BAHLOUL
> >>>Chef de projet / Expert Annuaires LDAP
> >>>LINAGORA SA - http://www.linagora.com
> >>>Tél.: +33(0)1 58 18 68 28 - Fax : +33(0)1 58 18 68 29
> >>>Portable : +33 (0) 6 64 86 43 01
> >>>
> >>>
> >
> >
> >
> >
> >
>
> -- 
> Sébastien BAHLOUL
> Chef de projet / Expert Annuaires LDAP
> LINAGORA SA - http://www.linagora.com
> Tél.: +33(0)1 58 18 68 28 - Fax : +33(0)1 58 18 68 29
> Portable : +33 (0) 6 64 86 43 01