[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Control Question

To: openldap-software@OpenLDAP.org
Subject: Access Control Question
From: Tod Thomas <tthomas@chubb.com>
Date: Tue, 14 Mar 2000 14:13:48 -0500

I have been testing with the following acl setup:

defaultaccess   none
access to dn=".*,ou=people,o=Organization Name" attr=userpassword
        by self write
        by dn="uid=administrator,o=Organization Name" write
        by * compare
access to *
        by self write
        by dn="uid=admininistrator,o=Organization Name" write
        by * read

...which is intended to give anonymous read and password authentication
access, individual user update capabilities to their own entry, and
global administrative authority.  It works.

Now I want to create another branch of the DIT and provide the same
accessibility as above.  In this case though I want to define a
supplemental administrator whose global authority is limited to this new
branch.  Here is what I came up with:

defaultaccess   none
access to dn=".*,ou=another branch,o=Organization Name"
        by dn="uid=12345,ou=people,o=Organization Name" write
        by dn="uid=administrator,o=Organization Name" write
        by * read
access to dn=".*,ou=people,o=Organization Name" attr=userpassword
        by self write
        by dn="uid=administrator,o=Organization Name" write
        by * compare
access to *
        by self write
        by dn="uid=admininistrator,o=Organization Name" write
        by * read

When executing an ldappadd binding with uid=12345... I get an
Insufficient access error, I know the password is correct.  Can I grant
administrative access to specific users for specfic portions of the
DIT?  If so what am I doing wrong in specifiying my ACL's above?

Thanks for any ideas.

Tod Thomas

Follow-Ups:
- Re: Access Control Question
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: How do I create a server for root?
Next by Date: ldap_bind: No such object
Index(es):
- Chronological
- Thread