[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
2 top level domains and acls
i have two top level domains in my openldap directory: example.local and
other.local
I have installed the suse93 packaged openldap server version 2.2.23.
I would like to declare the following permissions:
1. "cn=Manager,dc=example,dc=local" and "cn=writer,dc=example,dc=local" can
read, write and authenticate. ie do anything in both domains ...
2. "cn=reader,dc=example,dc=local can read anything in both domains.
3. "cn=publicreader,dc=example,dc=local" can read mail, sn, givenname in
example.local only.
I was expecting the results of my test for public reader to give the sn and
givenName for Joe Bloggs. It does not.
What am i doing wrong?
Do i need to supply different acls or acls just in a different order?
#slapd.conf file
###############################################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/yast.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
access to attrs=userPassword
by anonymous auth
by * none
access to attrs=sn,givenName
by users read
by * none
access to *
by dn="cn=Manager,dc=example,dc=local" write
by dn="cn=writer,dc=example,dc=local" write
by dn="cn=reader,dc=example,dc=local" read
by * none
database ldbm
suffix "dc=other,dc=local"
suffix "dc=example,dc=local"
rootdn "cn=Manager,dc=example,dc=local"
rootpw secret
directory /var/lib/ldap
index objectClass eq
This is a population script that i run to populate the directory.
###############################################################################
:
rcldap stop
rm /var/lib/ldap/*
rcldap start
ldapadd -xWD "cn=Manager,dc=example,dc=local" <<HERE
dn: dc=example,dc=local
objectClass: dcObject
objectClass: organization
o: Sparke Helmore
dc: example
dn: dc=other,dc=local
objectClass: dcObject
objectClass: organization
o: Non Sparke Helmore Organisations
dc: other
dn: cn=reader,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: reader
userPassword: secret
dn: cn=writer,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: writer
userPassword: secret
dn: cn=publicreader,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: publicreader
userPassword: secret
dn: uid=BDN,dc=example,dc=local
objectClass: inetorgPerson
uid: BDN
sn: Bloggs
givenName: Joe
cn: Joe Bloggs
HERE
# This is the results of an ldapsearch using reader. results are as expected
....
###############################################################################
l0027:~/work # ldapsearch -D "cn=reader,dc=example,dc=local" -xb
"dc=example,dc=local" -w secret
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=local> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# example.local
dn: dc=example,dc=local
objectClass: dcObject
objectClass: organization
o: Sparke Helmore
dc: example
# reader, example.local
dn: cn=reader,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: reader
# writer, example.local
dn: cn=writer,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: writer
# publicreader, example.local
dn: cn=publicreader,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: publicreader
# BDN, example.local
dn: uid=BDN,dc=example,dc=local
objectClass: inetOrgPerson
uid: BDN
sn: Bloggs
givenName: Joe
cn: Joe Bloggs
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
# These are the results of an ldapsearch using public reader. I was expecting
# to see the sn and givenName for Joe Bloggs but found nothing
###############################################################################
l0027:~/work # ldapsearch -D "cn=publicreader,dc=example,dc=local" -xb
"dc=example,dc=local" -w secret
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=local> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
thanks
ben
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.