[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL Headaches



Sweet, that worked!

Thank you so much.

Can you include multiple sasl-regexp statement in the slapd.conf file?

I would like to add a literal mapping such as:

sasl-regexp uid=ldapadmin,cn=QM,cn=gssapi,cn=auth cn=ldapadmin,dc=qm

since the other regexp is mapping the ldapadmin@QM principal to uid=ldapadmin,ou=people,dc=qm which is not correct.

Thank you again for the help. I will read thru the manual this weekend so I can start tweaking Permissions on a per user basis.

Cheers,
Silas

=0)

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Karsten
Gorling
Sent: Thursday, September 22, 2005 2:23 PM
To: openldap-software@OpenLDAP.org
Subject: Re: ACL Headaches


>* Bennett, Silas (GE Infrastructure) <Silas.Bennett@ge.com> [050922 23:09]:
>> Ok,
>> 
>> My slapd.access file now looks like:
>> 
>> #########
>> olcAccess: to dn.base=""
>> 	by dn="cn=ldapadmin,dc=qm" write
>> 	by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write
>> 	by dn.exact="uid=silasb,ou=people,dc=qm" write
>> 	by self write
>> 	by * read
>> 
>> olcAccess: to *
>> 	by dn="cn=ldapadmin,dc=qm" write
>> 	by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write
>> 	by dn.exact="uid=silasb,ou=people,dc=qm" write
>> 	by * read
>> #########
>
>Is this exactly how your ACLs looks like? In "man slapd.conf" I
>cannot find a olcAccess-Statement.
>
>Your ACLs should be something like that:
>
>SNIP-->
># Writing to the RootDSE is impossible (AFAIK), but everybody should be able
># to read the information there
>access to dn.base=""
>    by * read
> 
># Everybody should be able to read the schema on the server
>access to dn.base="cn=Subschema"
>    by * read
>
># Access to back monitor (backend monitor must be enabled for this)
># only a privileged user should read this
>accest to dn.subtree="cn=Monitor"
>    by dn.exact="dn_of_a_user_you_trust" read
>
># EnableÑ write-Access for the given dn
># rootdn is omitted, since it has implicit always
># maximal access
>access to dn.subtree "dc=qm"
>    by dn.exact="uid=silasb,ou=people,dc=qm" write
>    by * read
><--SNAP
>
>It should now work as expected. But I strongly recommend reading the
>slapd.access Manpage.
>
>
>-- 
>Max-Born-Institut (MBI)/Max-Born-StraÃe 2A/12489 Berlin/Karsten Gorling
>Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309 
>E-Mail: kgorling@physik.tu-berlin.de or gorling@mbi-berlin.de
>Instantmessenger: Jabber: grafzahl@jabber.fsinf.de or ICQ: 95492828
>PGP-Fingerprint:  4BEF 23EA 02AE BACA 9918  31FF 285B 0426 0E1A B2FC
>----------------- > encrypted E-Mail preferred <------------------------