[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Simple ACL's for certificate revocation list LDAP
Hello
This is my second problem today, not the same as earlier post about mapping
certs to ACL users.
My environment:
Openldap 2.2.13-2 (RHEL4) as LDAP server. CA-system which publishes
certificates and revocation lists to the LDAP.
LDAP's fqdn is ldap.kimmo.local and CA-system is ca.kimmo.local. LDAP server
has also secondary IP with fqdn ldap2.kimmo.local. LDAP's rootdn is
cn=manager,c=fi. LDAP structure is as follows:
c=fi
\----o=company
\----cn=company CA (crl and cacert are here)
\----cn=user 1 (user cert is here)
\----cn=user 2
\----cn=user 3
\----o=admins
\----cn=ca-admin
I would like to define ACL's so, that:
1. anonymous users can read everything (certificates, revocation lists and
other attributes under user and CA entries). No access under o=admins,c=fi
2A. CA-system can read and write anything, binding as rootdn only when source
IP is ca.kimmo.local
2B CA-system can read and write anything, binding as existing ldap user
cn=ca-admin only when source IP is ca.kimmo.local
2C CA-system can read and write anything, binding as existing ldap user
cn=ca-admin only when source IP is ca.kimmo.local and destination IP is the
secondary IP
2D CA-system can read and write anything, using TLS client auth only when
source IP is ca.kimmo.local
I have no idea how the ACL's should be defined. I need to have option 1 and
one 2X. In any case, writing from CA would be TLS Server authenticated and
encrypted.
Any help or pointers to the examples or howtos?
Regards
Kimmo Koivisto