[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
access control after upgrade
( DB MOCKUP )
dc=local,dc=net
|
ou=accounts
| |
| |
| ou=corporate
|
ou=subscriber
( /DB MOCKUP )
-----------------------
These controls worked perfectly in 2.0.22:
access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
by dn="cn=corpuser,dc=local,dc=net" write
by anonymous read
access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
by dn="cn=subuser,dc=local,dc=net" write
by anonymous read
access to *
by dn="cn=Manager,dc=local,dc=net" write
by self write
by anonymous read
In this way, I could have an admin that could manage the corporate
entries, and a seperate admin to manage the subscriber entries.
In 2.3.11, 'cn=corpuser,dc=local,dc=net' can only read itself and can't
update anything under "ou=corporate,ou=accounts,dc=local,dc=net" I've
tried varying degrees of dn.subtree and dn.exact etc.
The only difference between the old config and the new one is this:
access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
by dn="cn=corpuser,dc=local,dc=net" write
by anonymous read
access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
by dn="cn=subuser,dc=local,dc=net" write
by anonymous read
access to *
by dn="cn=Syncuser,dc=local,dc=net" read
The Manager line in the old config was admittedly unnecessary, but I put
Syncuser in its place for synrepl replication ( which is working great!
). Is this Syncuser overrunning the permissions of the two subtree
managers?
I've read slapd.access a fair bit and it seems everythings geared toward
reading attributes of a one OU directory.
--
Aaron Thoreson
aaront@midco.net