[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: 2 top level domains and acls
access to *
> by dn="cn=Manager,dc=example,dc=local" write
> by dn="cn=writer,dc=example,dc=local" write
> by dn="cn=reader,dc=example,dc=local" read
> by * none
shouldn't that be by dn="cn=publicreader,dc=example,dc=local" read
regards,
den
On Mon, 2005-09-12 at 13:27 +1000, ben.norman@qmunity.net wrote:
> i have two top level domains in my openldap directory: example.local and
> other.local
> I have installed the suse93 packaged openldap server version 2.2.23.
> I would like to declare the following permissions:
> 1. "cn=Manager,dc=example,dc=local" and "cn=writer,dc=example,dc=local" can
> read, write and authenticate. ie do anything in both domains ...
> 2. "cn=reader,dc=example,dc=local can read anything in both domains.
> 3. "cn=publicreader,dc=example,dc=local" can read mail, sn, givenname in
> example.local only.
> I was expecting the results of my test for public reader to give the sn and
> givenName for Joe Bloggs. It does not.
>
> What am i doing wrong?
> Do i need to supply different acls or acls just in a different order?
>
> #slapd.conf file
> ###############################################################################
>
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/rfc2307bis.schema
> include /etc/openldap/schema/samba3.schema
> include /etc/openldap/schema/yast.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
>
> access to attrs=userPassword
> by anonymous auth
> by * none
>
> access to attrs=sn,givenName
> by users read
> by * none
>
> access to *
> by dn="cn=Manager,dc=example,dc=local" write
> by dn="cn=writer,dc=example,dc=local" write
> by dn="cn=reader,dc=example,dc=local" read
> by * none
>
> database ldbm
> suffix "dc=other,dc=local"
> suffix "dc=example,dc=local"
> rootdn "cn=Manager,dc=example,dc=local"
> rootpw secret
> directory /var/lib/ldap
>
> index objectClass eq
>
> This is a population script that i run to populate the directory.
> ###############################################################################
> :
>
> rcldap stop
> rm /var/lib/ldap/*
> rcldap start
>
> ldapadd -xWD "cn=Manager,dc=example,dc=local" <<HERE
>
> dn: dc=example,dc=local
> objectClass: dcObject
> objectClass: organization
> o: Sparke Helmore
> dc: example
>
> dn: dc=other,dc=local
> objectClass: dcObject
> objectClass: organization
> o: Non Sparke Helmore Organisations
> dc: other
>
> dn: cn=reader,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: reader
> userPassword: secret
>
> dn: cn=writer,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: writer
> userPassword: secret
>
> dn: cn=publicreader,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: publicreader
> userPassword: secret
>
> dn: uid=BDN,dc=example,dc=local
> objectClass: inetorgPerson
> uid: BDN
> sn: Bloggs
> givenName: Joe
> cn: Joe Bloggs
>
> HERE
>
> # This is the results of an ldapsearch using reader. results are as expected
> ....
> ###############################################################################
> l0027:~/work # ldapsearch -D "cn=reader,dc=example,dc=local" -xb
> "dc=example,dc=local" -w secret
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=local> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # example.local
> dn: dc=example,dc=local
> objectClass: dcObject
> objectClass: organization
> o: Sparke Helmore
> dc: example
>
> # reader, example.local
> dn: cn=reader,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: reader
>
> # writer, example.local
> dn: cn=writer,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: writer
>
> # publicreader, example.local
> dn: cn=publicreader,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: publicreader
>
> # BDN, example.local
> dn: uid=BDN,dc=example,dc=local
> objectClass: inetOrgPerson
> uid: BDN
> sn: Bloggs
> givenName: Joe
> cn: Joe Bloggs
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 6
> # numEntries: 5
>
> # These are the results of an ldapsearch using public reader. I was expecting
> # to see the sn and givenName for Joe Bloggs but found nothing
> ###############################################################################
>
> l0027:~/work # ldapsearch -D "cn=publicreader,dc=example,dc=local" -xb
> "dc=example,dc=local" -w secret
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=local> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
> thanks
> ben
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> -----------------
> Utiba Pty Ltd
> This message has been scanned for viruses and
> dangerous content by Utiba mail server and is
> believed to be clean.
>
--
________________________________
Dennis Matotek
Network Attache' to the Utiba/Cooee/Mobilemadness Domains
Utiba Pty Ltd
dennis@utiba.com
-----------------
Utiba Pty Ltd
This message has been scanned for viruses and
dangerous content by Utiba mail server and is
believed to be clean.