[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subtree acl II

To: "openldap-general@openldap.org" <openldap-general@openldap.org>
Subject: Re: Subtree acl II
From: Manon Goo <manon@manon.de>
Date: Fri, 16 Oct 1998 10:29:40 +0200
References: <36261DC4.4087230D@manon.de> <19981015183906.13812@fireplug.net>


Stuart Lynne wrote:
> 
> On Thu, Oct 15, 1998 at 06:07:32PM +0200, Manon Goo wrote:
> > How do I specify a manager for a subtree of the ldapserver
> >
> > Subtree
> >
> > ou=Manon, o=MG, c=DE
> > objectclass=top
> > objectclass=organizationalUnit
> > objectclass=quipuObject
> > objectclass=quipuNonLeafObject
> > manager=cn=Manon Goo,ou=People,o=MG,c=DE
> > ou=Manon
> >
> > My acls:
> >
> > defaultaccess   read
> > access          to attr=objectclass
> >                 by * read
> > access          to attr=userpassword
> >                 by self write
> >                 by * compare
> > access          to dn=".*,ou=Manon,o=MG,c=DE"
> >                 by dn="cn=Manon Goo,ou=People,o=MG,c=DE"
> >                 write
> >                 by * read
> > access          to * by * read
> >
> >
> > "cn=Manon Goo,ou=People,o=MG,c=DE" may manage existing entrys of the
> > subtree
> > but is not allowd to insert new entrys under the subtree what is the
> > subtree acl ?
> 
> I can think of two approaches. First you can define manager entries that
> are recognizable by dn:
> 
>         cn=Manon Goo, ou=Managers,o=MG,c=DE
> 
> And add appropriate acl's that match that. This requires an extra entry
> for each manager and they must authenticate using a password defined in that
> entry.
> 
> Second is to define a single manager group entry that has uniquemember
> values defining mangers:
> 
>         cn=Managers, o=MG, C=DE
>         objectclass: top
>         objectclass: groupOfUniqueNames
>         cn: Managers
>         description: people who can manage o=MG, C=DE
>         uniquemember: cn=Manon Goo, ou=People, o=MG, c=DE
>         uniquemember: cn=Someone Else, ou=People, o=MG, c=DE
> 
> Then use the new (openldap not older umich code base) group acl extension:
> 
>     access to dn="ou=Manon,o=(.*),c=(.*)"
>         attrs=children,entry,uid
>         by  group="cn=Managers,o=$1,c=$2" write
>         by  dn=".*" read
> 
> The second approach requires a single entry and has the advantage of
> allowing managers to use their normal entry and password to authenticate
> with.
Where Do I find Documentaion to the acl extensions ? 
I've read the UMICH SLAPD-Administrators Guide and 
have not found anything apropiate for openldap.


 
> --
> Stuart Lynne <sl@fireplug.net>      604-461-7532      <http://www.fireplug.net>
> PGP Fingerprint: 28 E2 A0 15 99 62 9A 00  88 EC A3 EE 2D 1C 15 68

-- 
==========================



Manon  Goo
manon@manon.de
+49 221 9321936

=========================

Follow-Ups:
- Re: Subtree acl II
  - From: Stuart Lynne <sl@fireplug.net>

References:
- Subtree acl II
  - From: Manon Goo <manon@manon.de>
- Re: Subtree acl II
  - From: Stuart Lynne <sl@fireplug.net>

Prev by Date: UID patch for stable
Next by Date: Re: Subtree acl II
Index(es):
- Chronological
- Thread