[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control after upgrade





--On Thursday, November 10, 2005 3:17 PM -0600 Aaron Thoreson <aaront@midco.net> wrote:

( DB MOCKUP )
dc=local,dc=net
  |
ou=accounts
  |	|
  |	|
  |	ou=corporate
  |
ou=subscriber
( /DB MOCKUP )

-----------------------
These controls worked perfectly in 2.0.22:

access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
         by dn="cn=corpuser,dc=local,dc=net" write
         by anonymous read
access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
         by dn="cn=subuser,dc=local,dc=net" write
         by anonymous read
access to *
         by dn="cn=Manager,dc=local,dc=net" write
         by self write
         by anonymous read

In this way, I could have an admin that could manage the corporate
entries, and a seperate admin to manage the subscriber entries.

In 2.3.11, 'cn=corpuser,dc=local,dc=net' can only read itself and can't
update anything under "ou=corporate,ou=accounts,dc=local,dc=net"  I've
tried varying degrees of dn.subtree and dn.exact etc.

The only difference between the old config and the new one is this:

access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
         by dn="cn=corpuser,dc=local,dc=net" write
         by anonymous read
access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
         by dn="cn=subuser,dc=local,dc=net" write
         by anonymous read
access to *
         by dn="cn=Syncuser,dc=local,dc=net" read

The Manager line in the old config was admittedly unnecessary, but I put
Syncuser in its place for synrepl replication ( which is working great!
).  Is this Syncuser overrunning the permissions of the two subtree
managers?

I've read slapd.access a fair bit and it seems everythings geared toward
reading attributes of a one OU directory.

ACL's are applied in the order read. This means that you are denying syncuser READ to anything in "ou=corporate..." and "ou=subscriber..."


If you want syncuser to read *everything, the access to * needs to come first.

You might find:

<http://www.stanford.edu/services/directory/openldap/configuration/>

of some help, specifically the ACLs section.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html