Re: acls for "remote groups"

[Pierangelo Masarati <ando@sys-net.it>]

Raissa Dantas Freire de Medeiros wrote:

> Hi all!
>
> Does anybody already needed to grant access to a group of another partition?
>
> Suppose you are on a.com.br server (DN suffix: dc=br). Its acl conf file is:
>
> access to dn.subtree="dc=br"
>    by group/groupOfNames/member="cn=g1,ou=pb,dc=br" write
>    by * read
>
> The group cn=g1,ou=pb,dc=br is on another server (suppose b.com.br server, DN suffix: ou=pb,dc=br).
>
> I have noticed slapd ignores the first <who> clause when evaluating acls!!!!
>  
Yes.  Slapd is stupid enough to require you to tell it what to do. As 
you've already been told in a previous posting, you need to define 
another database of "ldap" type, pointing to the remote server that 
contains the bit of information you want it to use for access checking, 
and glue it together with the original one.  Assuming you're using 
OpenLDAP 2.2 (the syntax changes with 2.3, so I'll describe both):

<OL22>
database        ldap
suffix          "ou=pb,dc=br"
subordinate
uri             "ldap://remote/";
#...

database        bdb
suffix          "dc=br"
#...
</OL22>

<OL23>
database        ldap
suffix          "ou=pb,dc=br"
uri             "ldap://remote/";
#...

database        bdb
suffix          "dc=br"
#...

overlay         glue
glue-sub        "ou=pb,dc=br"
</OL23>

This does what you intend; it is likely to behave poorly because of your 
design; I'd rather replicate the group info in the local database.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497