[Date Prev][Date Next] [Chronological] [Thread] [Top]

Simple ACL's for certificate revocation list LDAP



Hello

This is my second problem today, not the same as earlier post about mapping 
certs to ACL users.

My environment:
Openldap 2.2.13-2 (RHEL4) as LDAP server. CA-system which publishes 
certificates and revocation lists to the LDAP.

LDAP's fqdn is ldap.kimmo.local and CA-system is ca.kimmo.local. LDAP server 
has also secondary IP with fqdn ldap2.kimmo.local. LDAP's rootdn is 
cn=manager,c=fi. LDAP structure is as follows:

c=fi
	\----o=company
		\----cn=company CA (crl and cacert are here)
		\----cn=user 1 (user cert is here)
		\----cn=user 2
		\----cn=user 3

	\----o=admins
		\----cn=ca-admin

I would like to define ACL's so, that:

1. anonymous users can read everything (certificates, revocation lists and 
other attributes under user and CA entries). No access under o=admins,c=fi

2A. CA-system can read and write anything, binding as rootdn only when source 
IP is ca.kimmo.local

2B  CA-system can read and write anything, binding as existing ldap user 
cn=ca-admin only when source IP is ca.kimmo.local

2C  CA-system can read and write anything, binding as existing ldap user 
cn=ca-admin only when source IP is ca.kimmo.local and destination IP is the 
secondary IP

2D  CA-system can read and write anything, using TLS client auth only when 
source IP is ca.kimmo.local

I have no idea how the ACL's should be defined. I need to have option 1 and 
one 2X. In any case, writing from CA would be TLS Server authenticated and 
encrypted.

Any help or pointers to the examples or howtos?

Regards
Kimmo Koivisto