[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: protect entry but not children

Ace Suares (ace@suares.com) wrote:

> I understood that you said you could drag and drop with GQ, but that 
> seems not to be the case. I might have misunderstood.

It is a compile-time switch.

> GQ doesn't give me any more information about what ACL's are and how 
> to configure them correctly.
> So, I am stull full of questions on ACL's.

ACL's are access control lists. For every search an LDAP server does, it
goes through it's ACL's. Sequentially, in the case of OpenLDAP. For
OpenLDAP, you store the ACL's inside the slapd.conf file. For iPlanet,
they are stored in the LDAP directory itself.

For each request, OpenLDAP will go through the ACL's from top to
bottom until it finds a match. Then it will stop and go no further. If
there is no match, the request does not receive a reply. One sort of
stupid thing about x.500, and thus LDAP is that if you don't have
permissions to do something then the server gives you cryptic messages
like "no such object", even when you know that the object is there. They
sort of thought that security through obscurity was the way to go...

OpenLDAP ACL's can contain regular expressions to match strings in
a more powerful way, so that you do not need to write so many ACL