[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question - my solution

To: openldap-software@OpenLDAP.org
Subject: Re: ACL question - my solution
From: James Shvarts <ys2046@columbia.edu>
Date: Tue, 01 Oct 2002 19:10:10 -0400
References: <200210011402.g91E2nji031418@galois.openldap.org> <3D99AF65.5040002@columbia.edu> <3D99DE43.50908@speakeasy.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530

Everyone,
thanks for your help. i finally figured out how to do it.

below is an acl portion from the slave's slapd.conf:

[...]

defaultaccess none

access to dn="(.*,)*ou=origin,dc=myorg,dc=org"
       by dn="cn=origin-service,ou=Services,dc=myorg,dc=org" read

access to dn="(.*,)*ou=target,dc=myorg,dc=org"
       by dn="cn=target-service,ou=Services,dc=myorg,dc=org" read

access to *
       by dn="cn=replicator,dc=myorg,dc=org" write
       by users read
       by * auth

[...]

where replicator is *not* a rootdn. this setup allows: 1) prevents anonymous access of any data within this dir 2) allows replicator to modify anything within this dir 3) lets appropriate services read (slave is read-only by definition) from their contexts. dn="(.*,)*ou=origin,dc=myorg,dc=org" is a catch-all for both dn="uid=user1,ou=origin,dc=myorg,dc=org" as well as dn="ou=origin,dc=myorg,dc=org" as well as anything underneath it

References:
- ACL question
  - From: James Shvarts <ys2046@columbia.edu>
- Re: ACL question
  - From: John Ziniti <jziniti@speakeasy.org>

Prev by Date: errno=97
Next by Date: facsimileTelephoneNumber comparisons
Index(es):
- Chronological
- Thread