[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Assigning user access to parts of tree

> Hi Marco,

> Thanks for the quick and detailed reply.  However if I understand you
> rightly, these access permissions go into the slapd.conf.  Is there
> any way of mainatining these permissions within the LDAP database
> itself?

	by this methods you have to set slapd.conf only one time, then you can 
control access editing entries directly.
	With method using "groupsOfNames", every time you add a entry called 
"cn=RWusers, ..." under a subtree and put a DN in a "member" attribute 
value of this entry, this DN can read and write every object under the subtree.


	access to dn="(.*),ou=(.*),dc=abcd,dc=com"
		by self	write
		by group="cn=RWusers,$2,dc=abcd,dc=com" write 
		by group="cn=ROusers,$2,dc=abcd,dc=com" read


	dn: cn=RWusers,ou=virtualDomain,dc=abcd,dc=com
	cn: RWusers
	ou: ou=virtualDomain
	member: cn=userA,ou=adomain,,dc=abcd,dc=com
	member: cn=userC,ou=anotherdomain,,dc=abcd,dc=com
	... other stuff ...

every user that bind with a DN listed in "member", can write in 
ou=virtualDomain,dc=abcd,dc=com subtree.
You can add and remove values from the entry without touch SLAPD.CONF.

	With second method ACL also depend on entries, in a more performant 
but less flexible way.
Marco Ferrante (ferrante@unige.it)
CSITA (Centro Servizi Informatici e Telematici d'Ateneo)
Università degli Studi di Genova - Italy
Viale Brigata Salerno - 16147 Genova
tel (+39) 0103532621 (interno tel. 2621)