[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Urgent: Query regarding ACL

tir, 2002-07-16 kl. 12:07 skrev Ashish Gokhale:

>  I am setting up ACL for the first time. I have gone
>  through the Admin's Guide, but could not put much to
>  practicle use. Here is the situation.

I'll have a stab at bits of it. Where I go wrong, others can lambast me,
from which I can learn too.

Firstly, you've got the right idea but haven't got the routine yet.

I do seriously suggest that if you're running linux and Gnome, that you
get hold of GQ. GQ is a GUI user interface that won't let you make
mistakes in schema hierarchy, points out where you go wrong and why.
Compile your own :-)


Design your schema on paper first. Add your basic DN and Manager with
slapadd from a basic ldif file, then add the hierarchy bit by bit, until
it works. Have "schemacheck on" in your slapd.conf (is by default).
*Never* put this off to save problems.

>  suffix: dc=BigCorp,dc=com,c=na
>  rootdn: cn=Manager,dc=BigCorp,dc=com,c=na

Nothing wrong with that.

>  We have 800+ people (inetOrgPerson) elements under
>  ou=people,o=ChildOfBigCorp,dc=BigCorp,dc=com,c=na
> recognized.
>  such as,
>  dn:
> cn=0123,ou=people,ChildOfBigCorp,dc=BigCorp,dc=com,c=na
> not recognized.

You forgot an "ou". You can't just have commas like that.


>  employeeType: employee
>  userPassword:: xyzABC
>  uid: abc
>  displayName: A B Normal 
>  departmentNumber: 6
>  objectClass: inetOrgPerson
>  employeeNumber: 0123

You forgot an obligational objectClass: top
You forgot an obligational structural objectClass: person with
You forgot an auxiliary objectClass: posixAccount with uid and

GQ won't *let* you make these mistakes; it just won't do what you want.

>  My purpose is to:
>  1. Allow only the people under ou=people,... node ,
> have complete access to entire directory,
>  2. Have no anonymous access

Get the above working first.

>  I wrote an ACL from what I understood (or
>  misunderstood) as follows.
>  ----
>  access to dn=".*dc=BigCorp,dc=com,c=na"
>  	by
> dn=".*ou=people,o=ChildOfBigCorp,dc=BigCorp,dc=com,c=na"
> write
>  ----

Nothing wrong with that. However, to be able to write, people will have
to authorize first, to let ldap know how they are. To be able to
authorize, they'll have to have read access to their DNs. If you just
use the above, you'll let everyone write to anything in the directory,
other peoples' passwords, everything. Again access should be strictly
hierarchical. Step 1 [accept|deny], step 2 [accept|deny] etc.




Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel