[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL help

To: openldap-software@OpenLDAP.org
Subject: ACL help
From: Joe Novielli <jnoviell@matrox.com>
Date: Thu, 10 Jun 1999 11:05:36 -0400
Cc: ldap@umich.edu

Greetings,

I would appreciate it if someone would try to help me understand  the idea
of ACL in my slapd.conf file.

A Simple eg: I have 3 entries in my ldif  file (user1, user2, user3). Here
they are:

----------------------------------------------------------------------------
----------------------
dn: o=Company, c=CA
objectclass: Organization

dn: location=Dorval, o=Company, c=CA
objectclass: Location


dn: username=user1, location=Dorval, o=Company, c=CA
objectclass: Person
username: user1
cn: User1_First_Name  Lastname
mail: user1@Company.com
location: Dorval
givenname: user1_GiveName
sn: Lastname
telephoneNumber:  ext: 7701
status: Active User


dn: username=user2, location=Dorval, o=Company, c=CA
objectclass: Person
username: user2
cn: User2_First_Name  Lastname
mail: user2@Company.com
location: Dorval
givenname: user2_GiveName
sn: Lastname
telephoneNumber:  ext: 7702
status: Active User
userpassword= Some_Password

dn: username=user3, location=Dorval, o=Company, c=CA
objectclass: Person
username: user3
cn: User3_First_Name  Lastname
mail: user3@Company.com
location: Dorval
givenname: user3_GiveName
sn: Lastname
telephoneNumber: ext: 7703
status: Active User
----------------------------------------------------------------------------
----------------------


All I want to do, is to allow user2 (WHO is the only one that has
"userpassword" attribute), read access to the whole database (except
viewing any other "userpassword" data - if any).

Therefore, when user2 logs in with his username and passwd , a search on
the whole database would yield all 3 entries, except for the password.

I'm trying to configure our Eudora 4.1 email clients to "login" the LDAP
server (as user2), before giving any pertinent results.


----------------------------------------------------------------------------
----------------------
ISSUES:

Can I define a username attribute to lookup the login name?, or do I use
the cn field?

Do all entries have to have a "userpassword" attribute?

Can I use the enypt passwd (standard UNIX DES) in the "userpassword" field?

Must I follow schemas to allow ACL to work?

Or am I really out in left field ?

----------------------------------------------------------------------------
----------------------
I UNDERSTAND that I have to have:

access to attr=userpassword
 by self write
 by * compare

To hide the passwords 
----------------------------------------------------------------------------
----------------------

Any help would be appreciated... Thanks

Joe
email:jnoviell@matrox.com

Prev by Date: Re: ldap_init vs ldap_open?
Next by Date: Not Work
Index(es):
- Chronological
- Thread