tir, 2002-07-16 kl. 12:07 skrev Ashish Gokhale: > I am setting up ACL for the first time. I have gone > through the Admin's Guide, but could not put much to > practicle use. Here is the situation. I'll have a stab at bits of it. Where I go wrong, others can lambast me, from which I can learn too. Firstly, you've got the right idea but haven't got the routine yet. I do seriously suggest that if you're running linux and Gnome, that you get hold of GQ. GQ is a GUI user interface that won't let you make mistakes in schema hierarchy, points out where you go wrong and why. Compile your own :-) http://sourceforge.net/project/?group_id=3805 Design your schema on paper first. Add your basic DN and Manager with slapadd from a basic ldif file, then add the hierarchy bit by bit, until it works. Have "schemacheck on" in your slapd.conf (is by default). *Never* put this off to save problems. > suffix: dc=BigCorp,dc=com,c=na > rootdn: cn=Manager,dc=BigCorp,dc=com,c=na Nothing wrong with that. > We have 800+ people (inetOrgPerson) elements under > ou=people,o=ChildOfBigCorp,dc=BigCorp,dc=com,c=na > recognized. > > such as, > dn: > > cn=0123,ou=people,ChildOfBigCorp,dc=BigCorp,dc=com,c=na > not recognized. You forgot an "ou". You can't just have commas like that. cn=0123,ou=people,ou=ChildOfBigCorp,dc=BigCorp,dc=com,c=na > employeeType: employee > userPassword:: xyzABC > uid: abc > displayName: A B Normal > departmentNumber: 6 > objectClass: inetOrgPerson > employeeNumber: 0123 You forgot an obligational objectClass: top You forgot an obligational structural objectClass: person with inetorgPerson You forgot an auxiliary objectClass: posixAccount with uid and userPassword GQ won't *let* you make these mistakes; it just won't do what you want. > My purpose is to: > 1. Allow only the people under ou=people,... node , > have complete access to entire directory, > 2. Have no anonymous access Get the above working first. > I wrote an ACL from what I understood (or > misunderstood) as follows. > > ---- > access to dn=".*dc=BigCorp,dc=com,c=na" > by > dn=".*ou=people,o=ChildOfBigCorp,dc=BigCorp,dc=com,c=na" > write > ---- Nothing wrong with that. However, to be able to write, people will have to authorize first, to let ldap know how they are. To be able to authorize, they'll have to have read access to their DNs. If you just use the above, you'll let everyone write to anything in the directory, other peoples' passwords, everything. Again access should be strictly hierarchical. Step 1 [accept|deny], step 2 [accept|deny] etc. Best, Tony -- Tony Earnshaw e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
Attachment:
signature.asc
Description: Dette er en digitalt signert meldingsdel