[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL List New bee

To: ace@suares.nl, openldap-software@OpenLDAP.org
Subject: Re: ACL List New bee
From: Neo - <kpaxian25@yahoo.com>
Date: Thu, 11 Dec 2003 08:33:54 -0800 (PST)
In-reply-to: <200312102325.32036.ace@suares.nl>

Thanks ace, I have changed my acl access to this

access to dn.regex="ou=test,dc=example,dc=com"
        by users read
        by anonymous auth
        by * none

it serves my need made users to just access "ou=test" container alone and deny all other access.

Cheers

Ace Suares <ace@suares.nl> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > Could some one guide me how i can control access to directory tree
> > structure.
> >
> > My current acl looks like this
> > access to *
> > by self write
> > by users read
> > by anonymous read
> > by * none
> > I would like to restrict access to one particular container
>
> man slapd.access(5)
> http://www.openldap.org/doc/admin21/

First of all, please change 'by anonymous read' to 'by anonymous auth'.
authenticating always happens anoymous; and by allowing 'read' you will let
the anonymous user read all your entries ! (Not Good !)

Secondly, you need entries which have at least the 'userPassword' attribute -
else they won't have a password to login with.

Third, you need to find out what ACL you need for 'ou=test'.
Let's assume your suffix is 'dc=example,dc=com', then something like this
might work:

access to dn.regex=".*,ou=test,dc=example,dc=com"
by users read
by * none

access to *
by self write
by users read
by anonymous auth
by * none

The ORDER in which you put the ACL is important ! Reverse the order and the
second ACL is never read (because '*' also encompasses 'ou=test,...')

Be aware that the first ACL does NOT give access to the entry
'ou=test,dc=example,dc=com' itself, so the second rule is used !

_Ace

>
> -Dieter

- --
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/1+Ory7boE8xtIjURAhlLAJ9FvIad9Oaiyp/87Tz3+sMN5FLb3gCfe7nS
uTevoyiOgIxOggDE9hacEO0=
=1dk9
-----END PGP SIGNATURE-----

Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing

References:
- Re: ACL List New bee
  - From: Ace Suares <ace@suares.nl>

Prev by Date: RE: find out if i am working with Microsoft Active Directory or iPlanet
Next by Date: Re: no structuralObject in entry?
Index(es):
- Chronological
- Thread