[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control between two domains.



At 10:33 PM 6/16/2006, Manilal K M wrote:
>Hello all,
>   I have an openldap implementation with a number of domains. Now I
>need to grant access permission to the Global Address Book of two
>domains. For example my first domain is alpha and second domain is
>beta. I want to share the Global Address Book of alpha with beta and
>vice versa. I have made a simple configuration in
>/etc/openldap/slapd.conf. Here is the acl:
>
>access to dn.regex="ou=Global Address Book,o=alpha,o=com,c=US"
>       by dn.regex="uid=(.+),ou=People,o=beta,o=com,c=US" read
>       by * none
>access to dn.regex="ou=Global Address Book,o=beta,o=com,c=US"
>       by dn.regex="uid=(.+),ou=People,o=alpha,o=com,c=US" read
>       by * none

For any target entry matching the above, only the above
apply.  The "by * none" sees to that. 

>#####This is the default permission
>access to dn.regex="ou=Global Address Book,o=(.+),o=(.+),c=US"
>       by dn.regex=".+@$1\.$2" write
>       by * none
>##################################################
>access to dn.regex="ou=(.+),ou=Personal Address Book,o=(.+),o=(.+),c=US"
>       by dn.regex="$1" write
>       by * none
>access to dn.regex="uid=(.+),ou=People,o=(.+),o=(.+),c=US"
>       by self write
>       by peername="127\.0\.0\.1" read
>       by anonymous auth
>       by * none
>access to dn="cn=subschema"
>       by * read
>
>When I comment the default permission it works , but if I uncomment
>them the sharing won't works. Is the above configuration makes sense?
>
>regards
>Manilal
>
>
>-- 
>I would rather be a serf in a poor man's house and be above ground
>than reign among the dead