[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL question...
On Sat, 2006-01-14 at 08:23 -0800, Kurt D. Zeilenga wrote:
> At 10:33 PM 1/12/2006, Krishna Sivaramapuram wrote:
> >I don't get it. Can you please explain a bit?
You may need further access control e.g. to allow users to bind and to
allow reading other stuff; here I focus on the essential part.
Basically:
# --- One-user version ---
# Allow owner to write entries
access to dn.eact="cn=ABook,uid=user,dc=example,dc=com"
attrs=children
by dn.exact="uid=user,dc=example,dc=com" write
# Allow owner to register authorized people
access to dn.exact="cn=ABook access,uid=user,dc=example,dc=com"
by dn.exact="uid=user,dc=example,dc=com" write
# Allow owner to write and group members to read entries
access to dn.subtree="cn=ABook,uid=user,dc=example,dc=com"
by dn.exact="uid=user,dc=example,dc=com" write
by group="cn=ABook access,uid=user,dc=example,dc=com" read
# --- regex version ---
# Allow owner to write entries
access to dn.regex="^cn=ABook,uid=([^,]+),dc=example,dc=com$"
attrs=children
by dn.exact,expand="uid=$1,dc=example,dc=com" write
# Allow owner to register authorized people
access to dn.regex="^cn=ABook access,uid=([^,]+),dc=example,dc=com$"
by dn.exact,expand="uid=$1,dc=example,dc=com" write
# Allow owner to write and group members to read entries
access to dn.regex="^(.+,)?cn=ABook,uid=([^,]+),dc=example,dc=com$"
by dn.exact,expand="uid=$2,dc=example,dc=com" write
by group.expand="cn=ABook access,uid=$2,dc=example,dc=com" read
>
> I don't have time at the moment to explain it in detail.
>
> >If I create a group under a user with a list of member DN's from the LDAP tree, how do I use that access group to give access to those DN's to use personal addressbooks of that user.
>
> Start with one user, use "by group".
> Expand to multiple users through use of .regex/.expand.
>
> >Also, let's say this user creates multiple named personal addressbooks and he wants to give different kind of permissions to different users. How can I do this with this scheme?
>
> fancier regular expressions.
>
> >Is there any good book that discusses these kind of strategies?
> Well, I suggest you start with the Admin Guide and FAQ.
The most complete doc is the slapd.access(5) man page; it's meant as a
reference guide, not a tutorial. I suggest you follow Kurt's
suggestions and, in case you need details about specific directives,
look them up in slapd.access(5).
> Once you understand the basics, which these documents
> cover (and then some) reasonably well, you should be able
> to build additionally complex ACLs. You might want to
> read up on regular expressions, the FAQ has some pointers.
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------