[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acls for "remote groups"



Raissa Dantas Freire de Medeiros wrote:

Hi all!

Does anybody already needed to grant access to a group of another partition?

Suppose you are on a.com.br server (DN suffix: dc=br). Its acl conf file is:

access to dn.subtree="dc=br"
   by group/groupOfNames/member="cn=g1,ou=pb,dc=br" write
   by * read

The group cn=g1,ou=pb,dc=br is on another server (suppose b.com.br server, DN suffix: ou=pb,dc=br).

I have noticed slapd ignores the first <who> clause when evaluating acls!!!!


Yes. Slapd is stupid enough to require you to tell it what to do. As you've already been told in a previous posting, you need to define another database of "ldap" type, pointing to the remote server that contains the bit of information you want it to use for access checking, and glue it together with the original one. Assuming you're using OpenLDAP 2.2 (the syntax changes with 2.3, so I'll describe both):

<OL22>
database        ldap
suffix          "ou=pb,dc=br"
subordinate
uri             "ldap://remote/";
#...

database        bdb
suffix          "dc=br"
#...
</OL22>

<OL23>
database        ldap
suffix          "ou=pb,dc=br"
uri             "ldap://remote/";
#...

database        bdb
suffix          "dc=br"
#...

overlay         glue
glue-sub        "ou=pb,dc=br"
</OL23>

This does what you intend; it is likely to behave poorly because of your design; I'd rather replicate the group info in the local database.

p.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497