[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access Control

tir, 2002-09-17 kl. 19:12 skrev Flavio Alves:

> I'm new to LDAP, and I have some doubts regarding LDAP it self and ACL.

So'm I and so have I.

> What I really need is that a User (Jonny Gogogo for instance) to have access
> to it's entry and also it's subtree.
> When A user authenticates, he gains access to this entries...
>     + -- cn=User X,cn=users,dc=example,dc=com
>       + -- cn=Application 1,cn=User X,cn=users,dc=example,dc=com
>       + -- cn=Application 2,cn=User X,cn=users,dc=example,dc=com
>       + -- cn=Application 3,cn=User X,cn=users,dc=example,dc=com

To my pea-like brain, you can't go from right to left, you have to go
from left to right.

You'd have to create a group to which Jonny Gogo has sole access (along
with Admin or whatever you call your manager), and then give those two
(or more, for that matter) complete access to it. Put whatever Jonny has
access to in that group:
access to dn="cn=Gogothings,cn=users,dc=example,dc=com"
  by anonymous auth
  by dn="cn=Jonny Gogo,cn=users,dc=example,dc=com" write
  by dn="cn=Admin,cn=users,dc=example,dc=com" write
  by * none

dn: ou=Gogothings,cn=users,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: extensibleObject
userid: Gogothings
description: App1
description: App2
description: App2
description: App2

I dunno. I just picked an objectClass out of the Openldaps standard
schemas that works with GQ. There are most probably more suitable
objectClasses. But something like that.

Now I'm looking forward to someone teeling me a better way :-)




Tony Earnshaw

Tha can allway tell a Yorkshireman, but tha canna tell 'im much.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel