[Date Prev][Date Next] [Chronological] [Thread] [Top]


On Sat, 4 Mar 2000, Pierangelo Masarati wrote:

	I really hate to reply to your mail without an answer, but I have
pretty much the same question...

	How does one create an ACL that can match part of a dn?  I've got
an ou inside of which I keep configurations for various servers (OpenLDAP
itself, RADIUS, whatever else).  My RADIUS server has its own DN, and I
can't figure out a way to keep most people out of its config, while
letting it in.  The RADIUS setup looks like this:

           |    |
           |    +--<Various LDAP config entries>
                |     |
                |     +--<client Entries>
                      +--<Template entries>

	I need to make sure that the RADIUS server has read access to
everything under ou=RADIUS, but not under ou=LDAP.  I also need to make
sure that nobody other than the RADIUS user and administrative users who
will be modifying that data.  I've tried a view various ACL combinations
and failed to get the right results.  Any pointers?

	It appears that this kinda stuff can be done quite easily with
ACIs.  How is OpenLDAP's ACI support coming along?  Is there an estimate
as to when there might be a stable release with ACI support that would
solve this problem for me?

# It is not clear to me how can I allow some dn to add children
# entries to a parent entry, say
# cn=child,cn=parent,o=My Org.,c=IT
# without giving that dn write permission on all the parent
# entry attributes.
# Any suggestions? Thanks in advance.
# Pierangelo Masarati
# <ando@sys-net.it>
# SysNet

dustin sallings                            The world is watching America,
http://2852210114/~dustin/                 and America is watching TV.