[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf access statement



Jason Parsons wrote:

I have LDAP entries that look something like this:

dn: ou=blah.net,ou=accounts,dc=example,dc=net
    userpassword: password
dn: cn=one,ou=blah.net,ou=accounts,dc=example,dc=net

dn: ou=something.net,ou=accounts,dc=example,dc=net
    userpassword: password2
dn: cn=one,ou=something.net,ou=accounts,dc=example,dc=net
dn: cn=two,ou=something.net,ou=accounts,dc=example,dc=net


I would like to allow a user identified by the userpassword to have write access to all of the entries "under" that DN (cn=one, cd=two, ..."). I'm not exactly sure how to do this in slapd.conf. Can someone point me to syntax for the 'access' statements here?

An earlier post cleared up my access confusion so well I saved a copy and have used it several times as a cheat sheet. They used an example to explain what's happening. I quote:


access to attr=userPassword,sn
// specifically to attributes userPassword and sn(Surname) or Last Name
// in Microsoft Outlook

by dn="cn=Manager, o=sunrise.com" write
// allows the Manager or the rootdn to write into these attributes

by self write // allows authenticated users to write its own attributes

by * auth // allows anonymous and authenticated users to be authenticated only;
// all able to contact to server through
// authentication but the access to the attributes depend
// the above access rights


access to * // all entries and attributes (left cn and mail attributes
// only in entry.ldif) except userPassword and sn attributes


by dn="cn=Manager, o=sunrise.com" write
// allows the Manager or the rootdn to write into these attributes

by dn=".*, o=sunrise.com" read
// allows specific users to read into entries and
// attributes(cn and mail attributes only as in entry.ldif)

by self write // allows authenticated users to write its own entry and
// attributes(cn and mail attributes only as in entry.ldif)


by users read // allows all authenticated users to read entries and
// attributes(cn and mail attributes only as in entry.ldif)


by anonymous read
// allows anonymous to read entries and
// attributes(cn and mail attributes only as in entry.ldif)

by * auth // allows anonymous and authenticated users to be
// authenticated only; all able to contact to server through
// authentication but the access to the attributes depend
// the above access rights


Thanks Rakesh!!!