[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access controls



Opps my bad, I cut and past the rules wrong

olcAccess: {1}to
dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read



olcAccess: {2}to
dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca" write by * read


cheers,
darryl

Darryl Moore wrote:
> Well with a bunch of reading and even more experimentation I have been
> able to set up access to individual users Address Books. with the
> following rule:
> 
> olcAccess: {1}to
> dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write b$
> 
> I want to set up a seperate address book below various user groups as
> well, and give write access only to the members. I think the following
> will work.
> 
> olcAccess: {2}to
> dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca$" write
> 
> Two questions.
> 
> First do both these rules look reasonable? Are there any glaring
> security holes I'm missing? I think I have it right.
> 
> Two. Once I have this working I want to be able to set up various users
> as administrators to groups. (As you can do with gpasswd/gshadow in
> Linux) I looked around a lot, but have not seen anything that appears to
> allow you to do this with LDAP. Am I going to need to modify schemas to
> do this? <gulp>
> 
> Wow, I may be ready for my LPIC3 once I've figured all this out.
> 
> cheers,
> darryl
> 
> Darryl Moore wrote:
>> Thanks again, I think I figured it out. I made some edits to the
>> olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to
>> the database. (It sure does help when you read the right set of
>> instructions)
>>
>