[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subtree acl II

To: Manon Goo <manon@manon.de>
Subject: Re: Subtree acl II
From: Stuart Lynne <sl@fireplug.net>
Date: Fri, 16 Oct 1998 12:44:36 -0700
Cc: "openldap-general@openldap.org" <openldap-general@openldap.org>
In-reply-to: <362703F4.3A9F651F@manon.de>; from Manon Goo on Fri, Oct 16, 1998 at 10:29:40AM +0200
References: <36261DC4.4087230D@manon.de> <19981015183906.13812@fireplug.net> <362703F4.3A9F651F@manon.de>

On Fri, Oct 16, 1998 at 10:29:40AM +0200, Manon Goo wrote:
> 
> 
> Stuart Lynne wrote:
> > 
> > On Thu, Oct 15, 1998 at 06:07:32PM +0200, Manon Goo wrote:
> > > How do I specify a manager for a subtree of the ldapserver
> > >
> > > Subtree
> > >
> > > ou=Manon, o=MG, c=DE
> > > objectclass=top
> > > objectclass=organizationalUnit
> > > objectclass=quipuObject
> > > objectclass=quipuNonLeafObject
> > > manager=cn=Manon Goo,ou=People,o=MG,c=DE
> > > ou=Manon
> > >
> > > My acls:
> > >
> > > defaultaccess   read
> > > access          to attr=objectclass
> > >                 by * read
> > > access          to attr=userpassword
> > >                 by self write
> > >                 by * compare
> > > access          to dn=".*,ou=Manon,o=MG,c=DE"
> > >                 by dn="cn=Manon Goo,ou=People,o=MG,c=DE"
> > >                 write
> > >                 by * read
> > > access          to * by * read
> > >
> > >
> > > "cn=Manon Goo,ou=People,o=MG,c=DE" may manage existing entrys of the
> > > subtree
> > > but is not allowd to insert new entrys under the subtree what is the
> > > subtree acl ?
> > 
> > I can think of two approaches. First you can define manager entries that
> > are recognizable by dn:
> > 
> >         cn=Manon Goo, ou=Managers,o=MG,c=DE
> > 
> > And add appropriate acl's that match that. This requires an extra entry
> > for each manager and they must authenticate using a password defined in that
> > entry.
> > 
> > Second is to define a single manager group entry that has uniquemember
> > values defining mangers:
> > 
> >         cn=Managers, o=MG, C=DE
> >         objectclass: top
> >         objectclass: groupOfUniqueNames
> >         cn: Managers
> >         description: people who can manage o=MG, C=DE
> >         uniquemember: cn=Manon Goo, ou=People, o=MG, c=DE
> >         uniquemember: cn=Someone Else, ou=People, o=MG, c=DE
> > 
> > Then use the new (openldap not older umich code base) group acl extension:
> > 
> >     access to dn="ou=Manon,o=(.*),c=(.*)"
> >         attrs=children,entry,uid
> >         by  group="cn=Managers,o=$1,c=$2" write
> >         by  dn=".*" read
> > 
> > The second approach requires a single entry and has the advantage of
> > allowing managers to use their normal entry and password to authenticate
> > with.
> Where Do I find Documentaion to the acl extensions ? 
> I've read the UMICH SLAPD-Administrators Guide and 
> have not found anything apropiate for openldap.

Sorry, I havn't updated the admin guide.  The above example pretty well
encapsulates the functionality provided. 

There are two extensions. First using posix regex so that we can use $1-$9
in the matching expressions. 

Second the group extension that essentially says a user's (the user 
authenticating) rights are determined by this clause of the acl if the 
DN he is using to authenticate with is a value in the uniquemember attribute 
of the specified group entry.


-- 
Stuart Lynne <sl@fireplug.net>      604-461-7532      <http://www.fireplug.net>
PGP Fingerprint: 28 E2 A0 15 99 62 9A 00  88 EC A3 EE 2D 1C 15 68

References:
- Subtree acl II
  - From: Manon Goo <manon@manon.de>
- Re: Subtree acl II
  - From: Stuart Lynne <sl@fireplug.net>
- Re: Subtree acl II
  - From: Manon Goo <manon@manon.de>

Prev by Date: Re: Subtree acl II
Next by Date: 4.5pr2 roaming profiles and updating ldap.
Index(es):
- Chronological
- Thread