Re: Dynamic configuration / admin users

[Dan White <dwhite@olp.net>]

On 10/19/12 12:36 +0900, Simon Walter wrote:
> Debian Squeeze is using the dynamic configuration. While I am sure 
> there are benefits, all the documentation is for static configuration 
> (slapd.conf).
>
> I've got a basic tree up and running and several services are using 
> it no problem. There are several things I'd like to do, like 
> replication. For this and some other services, SOGo for example, that 
> don't bind anonymously, I'd like to create some more users for this. 
> I could be mistaken, but perhaps they need some kind of admin 
> privileges. If not, that means that any user can modify anything in 
> the tree.

I'm not familiar with SOGo. A typical configuration might include a rootdn
for configuration purposes, and one or more administrative users which are
allowed piecemeal access to add/change your tree, restricted by ACLs.

Those administrative users can be user entries within your tree, or sasl
(authc) identities.

> I see various information about ACI and ACL and access.conf. I can't 
> find clear documentation about how any of this relates to dynamic 
> configurations.

See the manpage for slapd-config, and the OpenLDAP Administrator's Guide;
Chapter 8 covers Access Control.

> To conclude, how do I add additional users to a dynamic configured 
> openldap tree and configure those users with specific access 
> permissions?

*Adding* users shouldn't be any different (the tree itself is no different,
only the configuration backend). ACL configuration for you will be a
one-to-one mapping from the slapd.conf config statements, in whatever
documentation you're reading, to the slapd-config dynamic config statements
(compare the slapd.conf and slapd-config manpages).

--
Dan White