[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: REPOST::: SubtreeAdmin in openLDAP v3

> Hi there,
> I have installed openLDAP v3 and it seems to be running very smoothly. 
> However I always thought that one of the great strengths of LDAP is the 
> possibility to create different subtrees, thereby each subtree having 
> its very own admin with write privileges.

This has always been possible, with OpenLDAP 1.X as well as with 2.0.X

> Lets's say I have the tree
> records
>   I
>   I-- store a
>   I
>   I-- store b

You can use two separate databases, e.g.

database	ldbm
suffix		"o=a,dc=suffix"
rootdn		"cn=manager,o=a,dc=suffix"

database	ldbm
suffix		"o=b,dc=suffix"
rootdn		"cn=manager,o=b,dc=suffix"

or a single database, 

database	ldbm
suffix		"dc=suffix"
rootdn		"cn=manager,dc=suffix"

where access to subtrees is delegated to normal users with full access

> Both subtrees (store a and store b) have the same scheme which is 
> included via slapd.conf. Ich have included core.schema also.  Each 
> subtree is containing the data of records only; -no users. The 
> "unsolvable" problem is to create two admins (one for the subtree store 
> a and the other one for store b) having only read / write privileges on 
> his very own subtree.
> With openLDAP 1.2 I simply can add an accessline like this:
> access to ou=store_a,o=records by cn=admin_store_a,ou=admins,o=records 
> write
> In openLDAP v3 I get obscure errors. Sometimes it doesen't work at all, 
> at other times it says "no write access to parent". Have they changed 
> accesslines that much in openLDAP v3 ?

Access control is much more sophisticated in OpenLDAP 2.0; to access
an entry's attributes you need to have access to the meta-attribute
"entry"; to add/delete an entry you need write access to the
meta-attribute "children".

Your example should read:

access to dn.exact="ou=store_a,o=records"
	by dn.exact="cn=admin_store_a,ou=admins,o=records" write

The problem of your approach is that ACLs by default are not additive.
They cn be made additive by using control clauses like continue, break,
stop.  You should read carefully the ACL documentation: