[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs

To: Alexander Brinkman <a.brinkman@avades.nl>
Subject: Re: ACLs
From: Tomas Maly <malyprogservices@flashmail.com>
Date: Thu, 15 Mar 2001 21:56:09 -0800
Cc: openldap-software@OpenLDAP.org
References: <000b01c0ad35$3c86e800$460897c2@avtest.dev>

Until the SaslRegExp directive gets used, SASL identities have no relation to
user dn's. uid=steve may be able to write to userPassword under
"uid=steve,ou=People,dc=sprinter,dc=org", but ldappasswd while being
authenticated as this identity will result in a error. Using SASL/GSSAPI will
make this statement pointless, but there may be cases when an actual dn is
desired. Such as using the dnattr ACL directive.

Alexander Brinkman wrote:

> Thanks everyone, I have it working now...
>
> Perhaps there are more people struggling with this, so here are some
> pointers on how I have it working:
>
> My ACL's are now: (they are not perfect, but it works :))
>
> access to dn="^uid=([^,]+),ou=People,dc=sprinter,dc=org"
>         attrs=userPassword
>         by dn="uid=$1" write
>         by dn="cn=Manager,dc=sprinter,dc=org" write
>         by self write
>         by anonymous auth
>         by * none
>
> access to attr=userPassword
>         by self write
>         by dn="cn=Manager,dc=sprinter,dc=org" write
>         by anonymous auth
>         by * none
>
> access to *
>         by self write
>         by dn="cn=Manager,dc=sprinter,dc=org" write
>         by * read
>
> Besides that I have the following options in slapd.conf:
> sasl-host eon.za.net
> sasl-realm "SPRINTER.ORG"
> sasl-secprops none
>
> I have setup Kerberos with a realm named SPRINTER.ORG.
>
> When I start kinit I authenticate with a user named eon.
> After this ldapsearch -Y gssapi will contact the openLDAP server which
> assigns uid=eon to my authenticated user. According to the ACLs in
> slapd.conf that user will get write access to his simple bind password
> (userPassword). The fact that there is another ACL for the userPassword
> attribute is that groups can also have passwords, and you don't want to have
> default read access on those... :)
>
> I problably have some errors in this story above, so if anyone finds them,
> please correct :) However, it is working for me right now...
>
> Grtz,
>         Eon.

Follow-Ups:
- RE: ACLs
  - From: a.brinkman@avades.nl (Alexander Brinkman)

References:
- RE: ACLs
  - From: a.brinkman@avades.nl (Alexander Brinkman)

Prev by Date: Re: ldbm2ldif
Next by Date: Re: ACLs
Index(es):
- Chronological
- Thread