[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: acls for "remote groups"
Raissa Dantas Freire de Medeiros wrote:
Hi all!
Does anybody already needed to grant access to a group of another partition?
Suppose you are on a.com.br server (DN suffix: dc=br). Its acl conf file is:
access to dn.subtree="dc=br"
by group/groupOfNames/member="cn=g1,ou=pb,dc=br" write
by * read
The group cn=g1,ou=pb,dc=br is on another server (suppose b.com.br server, DN suffix: ou=pb,dc=br).
I have noticed slapd ignores the first <who> clause when evaluating acls!!!!
Yes. Slapd is stupid enough to require you to tell it what to do. As
you've already been told in a previous posting, you need to define
another database of "ldap" type, pointing to the remote server that
contains the bit of information you want it to use for access checking,
and glue it together with the original one. Assuming you're using
OpenLDAP 2.2 (the syntax changes with 2.3, so I'll describe both):
<OL22>
database ldap
suffix "ou=pb,dc=br"
subordinate
uri "ldap://remote/"
#...
database bdb
suffix "dc=br"
#...
</OL22>
<OL23>
database ldap
suffix "ou=pb,dc=br"
uri "ldap://remote/"
#...
database bdb
suffix "dc=br"
#...
overlay glue
glue-sub "ou=pb,dc=br"
</OL23>
This does what you intend; it is likely to behave poorly because of your
design; I'd rather replicate the group info in the local database.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497