[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 2 top level domains and acls



access to *

>     by dn="cn=Manager,dc=example,dc=local"   write
>     by dn="cn=writer,dc=example,dc=local"    write
>     by dn="cn=reader,dc=example,dc=local"    read
>     by *                                        none


shouldn't that be by dn="cn=publicreader,dc=example,dc=local"    read

regards,
den
On Mon, 2005-09-12 at 13:27 +1000, ben.norman@qmunity.net wrote:

> i have two top level domains in my openldap directory: example.local and
> other.local
> I have installed the suse93 packaged openldap server version 2.2.23.
> I would like to declare the following permissions:
> 1. "cn=Manager,dc=example,dc=local" and "cn=writer,dc=example,dc=local" can
> read, write and authenticate. ie do anything in both domains ...
> 2. "cn=reader,dc=example,dc=local can read anything in both domains.
> 3. "cn=publicreader,dc=example,dc=local" can read mail, sn, givenname in
> example.local only.
> I was expecting the results of my test for public reader to give the sn and
> givenName for Joe Bloggs. It does not.
> 
> What am i doing wrong?
> Do i need to supply different acls or acls just in a different order?
> 
> #slapd.conf file
> ###############################################################################
> 
> include     /etc/openldap/schema/core.schema
> include     /etc/openldap/schema/cosine.schema
> include     /etc/openldap/schema/inetorgperson.schema
> include     /etc/openldap/schema/rfc2307bis.schema
> include     /etc/openldap/schema/samba3.schema
> include     /etc/openldap/schema/yast.schema
> 
> pidfile     /var/run/slapd/slapd.pid
> argsfile    /var/run/slapd/slapd.args
> 
> access to attrs=userPassword
>     by anonymous                                auth
>     by *                                        none
> 
> access to attrs=sn,givenName
>     by users                                    read
>     by *                                        none
> 
> access to *
>     by dn="cn=Manager,dc=example,dc=local"   write
>     by dn="cn=writer,dc=example,dc=local"    write
>     by dn="cn=reader,dc=example,dc=local"    read
>     by *                                        none
> 
> database    ldbm
> suffix      "dc=other,dc=local"
> suffix      "dc=example,dc=local"
> rootdn      "cn=Manager,dc=example,dc=local"
> rootpw      secret
> directory   /var/lib/ldap
> 
> index   objectClass eq
> 
> This is a population script that i run to populate the directory.
> ###############################################################################
> :
> 
> rcldap stop
> rm /var/lib/ldap/*
> rcldap start
> 
> ldapadd -xWD "cn=Manager,dc=example,dc=local" <<HERE
> 
> dn: dc=example,dc=local
> objectClass: dcObject
> objectClass: organization
> o: Sparke Helmore
> dc: example
> 
> dn: dc=other,dc=local
> objectClass: dcObject
> objectClass: organization
> o: Non Sparke Helmore Organisations
> dc: other
> 
> dn: cn=reader,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: reader
> userPassword: secret
> 
> dn: cn=writer,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: writer
> userPassword: secret
> 
> dn: cn=publicreader,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: publicreader
> userPassword: secret
> 
> dn: uid=BDN,dc=example,dc=local
> objectClass: inetorgPerson
> uid: BDN
> sn: Bloggs
> givenName: Joe
> cn: Joe Bloggs
> 
> HERE
> 
> # This is the results of an ldapsearch using reader. results are as expected
> ....
> ###############################################################################
> l0027:~/work # ldapsearch -D "cn=reader,dc=example,dc=local" -xb
> "dc=example,dc=local" -w secret
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=local> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # example.local
> dn: dc=example,dc=local
> objectClass: dcObject
> objectClass: organization
> o: Sparke Helmore
> dc: example
> 
> # reader, example.local
> dn: cn=reader,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: reader
> 
> # writer, example.local
> dn: cn=writer,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: writer
> 
> # publicreader, example.local
> dn: cn=publicreader,dc=example,dc=local
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: publicreader
> 
> # BDN, example.local
> dn: uid=BDN,dc=example,dc=local
> objectClass: inetOrgPerson
> uid: BDN
> sn: Bloggs
> givenName: Joe
> cn: Joe Bloggs
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 6
> # numEntries: 5
> 
> # These are the results of an ldapsearch using public reader. I was expecting
> # to see the sn and givenName for Joe Bloggs but found nothing
> ###############################################################################
> 
> l0027:~/work # ldapsearch -D "cn=publicreader,dc=example,dc=local" -xb
> "dc=example,dc=local" -w secret
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=local> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 1
> 
> thanks
> ben
> 
> 
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> 
> -----------------
> Utiba Pty Ltd 
> This message has been scanned for viruses and
> dangerous content by Utiba mail server and is 
> believed to be clean.
> 

-- 
________________________________
Dennis Matotek
Network Attache' to the Utiba/Cooee/Mobilemadness Domains
Utiba Pty Ltd
dennis@utiba.com

-----------------
Utiba Pty Ltd 
This message has been scanned for viruses and
dangerous content by Utiba mail server and is 
believed to be clean.