[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access Control between two domains.
At 10:33 PM 6/16/2006, Manilal K M wrote:
>Hello all,
> I have an openldap implementation with a number of domains. Now I
>need to grant access permission to the Global Address Book of two
>domains. For example my first domain is alpha and second domain is
>beta. I want to share the Global Address Book of alpha with beta and
>vice versa. I have made a simple configuration in
>/etc/openldap/slapd.conf. Here is the acl:
>
>access to dn.regex="ou=Global Address Book,o=alpha,o=com,c=US"
> by dn.regex="uid=(.+),ou=People,o=beta,o=com,c=US" read
> by * none
>access to dn.regex="ou=Global Address Book,o=beta,o=com,c=US"
> by dn.regex="uid=(.+),ou=People,o=alpha,o=com,c=US" read
> by * none
For any target entry matching the above, only the above
apply. The "by * none" sees to that.
>#####This is the default permission
>access to dn.regex="ou=Global Address Book,o=(.+),o=(.+),c=US"
> by dn.regex=".+@$1\.$2" write
> by * none
>##################################################
>access to dn.regex="ou=(.+),ou=Personal Address Book,o=(.+),o=(.+),c=US"
> by dn.regex="$1" write
> by * none
>access to dn.regex="uid=(.+),ou=People,o=(.+),o=(.+),c=US"
> by self write
> by peername="127\.0\.0\.1" read
> by anonymous auth
> by * none
>access to dn="cn=subschema"
> by * read
>
>When I comment the default permission it works , but if I uncomment
>them the sharing won't works. Is the above configuration makes sense?
>
>regards
>Manilal
>
>
>--
>I would rather be a serf in a poor man's house and be above ground
>than reign among the dead