[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: overlay unique - multiple suffixes

To: openldap-software@openldap.org
Subject: Re: overlay unique - multiple suffixes
From: Andreas Schoe <andi@gfz-potsdam.de>
Date: Thu, 31 Jul 2008 10:31:38 +0200
In-reply-to: <Pine.SOC.4.64.0807291655550.20589@toolbox.rutgers.edu>
References: <488F2D56.6060306@gfz-potsdam.de> <488F7A9F.5020101@stroeder.com> <Pine.SOC.4.64.0807291655550.20589@toolbox.rutgers.edu>
User-agent: Thunderbird 2.0.0.14 (X11/20080513)

Yes,

there are different reasons for this strict distinction. Especially for security reasons.

I think I have to choose the same naming context for both suffixes, if I would create a meta database and put slapo-unique there.

Is it an alternative? If it is, could I create a meta database with different naming contexts?

Aaron Richton schrieb:

On Tue, 29 Jul 2008, Michael Ströder wrote:
I have two suffixes with two bdb backends, in the first suffix you find internal and in the second suffix you find external users.
You could glue the suffixes together under a common suffix if it does not violate your security requirements and place slapo-unique there.
Presumably, the two suffix values are known in advance as constants. Therefore it should be fairly trivial to write ACLs along the lines of:
access to dn.subtree="ou=Area1,dc=suffix" [mostlyAllow]
access to dn.subtree="ou=Area2,dc=suffix" [mostlyAllow]
access to dn.subtree="dc=suffix" [mostlyDeny]
which should allow slapo-unique to be used (under access internal to slapd) while not granting additional access to the external world.

References:
- overlay unique - multiple suffixes
  - From: Andreas Schoe <andi@gfz-potsdam.de>
- Re: overlay unique - multiple suffixes
  - From: Michael Ströder <michael@stroeder.com>
- Re: overlay unique - multiple suffixes
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Re: N-way multimaster
Next by Date: Re: Help with ACL's for Users/Groups
Index(es):
- Chronological
- Thread