[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Questions on ACL

The FAQ-O-Matic had just the example of regex I needed! Thanks for the info, Mike.

In the end this is what I was essentially looking for (for archiving purposes on the list):

access to dn="ou=([^,]+),ou=contacts,dc=example,dc=com" attrs=children,entry,u
by dn="uid=$1,ou=users,dc=example,dc=com" write
by users read

The goal was to have a public place within LDAP that users could store/share contact information, and within a subtree where a search for * would be limited to outside information, and not include users. Essentially mail merge on this subtree, point your email client to ou=users for completion.

If anyone knows of a nicer way to do this for reasons unforseen, please let me know.

Jeremy Kuhnash

Mike O'Rourke wrote:

Please see:
http://www.openldap.org/faq/data/cache/52.html OpenLDAP Faq-O-Matic
\_OpenLDAP Software FAQ
\_SLAPD Configuration
\_Access Control
\_How do I use groups as manage access controls?


Jeremy Kuhnash <lists@planetzed.net> 02/14/03 04:49am >>>

This is the second question in a week with basically the same content:

How can you handle directory writing on a basis other than 'self' or matching a single user like manager? The openldap manual _even skips_

the 'regex' method of defining ACLs, but there must be a way to do it.
I too would like users to be able to store address books in LDAP for roaming and sharing purposes ... this is huge information when being a

proponent of the use of openldap over things like Lotus Domino or Msft.



Etienne Goyer wrote:


I am currently in the planification phase a large-scale installation


OpenLDAP for a client. The installation will be used as address book

and authentification repository for various system with 12 000 users


first (expected to grow near 100 000 in the future).

I have of the most of the issue sorted out (backup, replication,


etc) but I still have a few interrogations concerning ACLs.

First, can the ACL directives be stored outside of slapd.conf ? For
obvious reasons, access to this file have to be pretty much


If not, that would forbid deleguation of ACL management.

Second, is there a way to have changes in ACLs directive applied


restarting the service ?

Third, is there a performance penalities for having a lot of ACL
directives ?  As a side question, how are ACL processed ?  Are they
applied before the search or on the results set ?

Thanks for your insight.  Pointer to doc explaining these issue are
welcome.  So far, my search for answers to these questions have been