[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: having more privileged users



Prune wrote:

> Hi,
>
> Sorry to repost but I had no answer....
> Maybe I wasn't understood....
>
> Here is what I want :
>
> I want to be able to bind as a user (who's not manager) who will be able
> to do a search and find the DN of every entry in my LDAP.
> How is this possible ?
> How should I do ?
> Is this a good solution ?

The rootdn is a privileged user in the sense that it undergoes
privileged treatment when binding and performing all operations
that normally require checking permissions (think of acls in
read/write, size/time limits and so). Unprivileged users may gain
special privileges only by means of accurate configuration. If you
need unlimited read access, you need to explicitly add your user
to any acl you write; for the time/size limit at present there's no
solution but raising the default limits, but this works for everybody
(in HEAD I just committed a couple of patches that overcome
this limitation).

If your ACLS are:

access to attrs=userPassword
    by self write
    by * auth

access to dn=".*,ou=My Tree,dc=my,dc=org"
    by users read
    by * none

access to dn=".*,ou=Another Tree,dc=my,dc=org"
    by dn="[^,]+,ou=Apps,dc=my,dc=org"
    by * none

access to *
    by * read

you need to do do:

access to attrs=userPassword
    by self write
    by * auth

access to dn=".*,ou=My Tree,dc=my,dc=org"
    by dn="cn=YOUR USER,ou=People,dc=my,dc=org" read
    by users read
    by * none

access to dn=".*,ou=Another Tree,dc=my,dc=org"
    by dn="cn=YOUR USER,ou=People,dc=my,dc=org" read
    by dn="[^,]+,ou=Apps,dc=my,dc=org"
    by * none

access to *
    by dn="cn=YOUR USER,ou=People,dc=my,dc=org" read
    by * search

the same applies if you need different access rights, say "write".
You also need to set

sizelimit    (>MAX ENTRIES)
timelimit    (>TIME REQUIRED TO SEARCH THE WHOLE DIT)

If you go to HEAD, you may also have a look at

http://www.openldap.org/lists/openldap-devel/200107/msg00116.html

and threads that follow.

Pierangelo.

--
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   | http://www.aero.polimi.it/~masarati