[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Subtree acl II
On Thu, Oct 15, 1998 at 06:07:32PM +0200, Manon Goo wrote:
> How do I specify a manager for a subtree of the ldapserver
>
> Subtree
>
> ou=Manon, o=MG, c=DE
> objectclass=top
> objectclass=organizationalUnit
> objectclass=quipuObject
> objectclass=quipuNonLeafObject
> manager=cn=Manon Goo,ou=People,o=MG,c=DE
> ou=Manon
>
> My acls:
>
> defaultaccess read
> access to attr=objectclass
> by * read
> access to attr=userpassword
> by self write
> by * compare
> access to dn=".*,ou=Manon,o=MG,c=DE"
> by dn="cn=Manon Goo,ou=People,o=MG,c=DE"
> write
> by * read
> access to * by * read
>
>
> "cn=Manon Goo,ou=People,o=MG,c=DE" may manage existing entrys of the
> subtree
> but is not allowd to insert new entrys under the subtree what is the
> subtree acl ?
I can think of two approaches. First you can define manager entries that
are recognizable by dn:
cn=Manon Goo, ou=Managers,o=MG,c=DE
And add appropriate acl's that match that. This requires an extra entry
for each manager and they must authenticate using a password defined in that
entry.
Second is to define a single manager group entry that has uniquemember
values defining mangers:
cn=Managers, o=MG, C=DE
objectclass: top
objectclass: groupOfUniqueNames
cn: Managers
description: people who can manage o=MG, C=DE
uniquemember: cn=Manon Goo, ou=People, o=MG, c=DE
uniquemember: cn=Someone Else, ou=People, o=MG, c=DE
Then use the new (openldap not older umich code base) group acl extension:
access to dn="ou=Manon,o=(.*),c=(.*)"
attrs=children,entry,uid
by group="cn=Managers,o=$1,c=$2" write
by dn=".*" read
The second approach requires a single entry and has the advantage of
allowing managers to use their normal entry and password to authenticate
with.
--
Stuart Lynne <sl@fireplug.net> 604-461-7532 <http://www.fireplug.net>
PGP Fingerprint: 28 E2 A0 15 99 62 9A 00 88 EC A3 EE 2D 1C 15 68