[Date Prev][Date Next]
Re: Questions on ACL
- To: "Mike O'Rourke" <firstname.lastname@example.org>, openldap-software@OpenLDAP.org
- Subject: Re: Questions on ACL
- From: Jeremy Kuhnash <email@example.com>
- Date: Fri, 14 Feb 2003 16:01:41 -0500
- In-reply-to: <firstname.lastname@example.org>
- References: <email@example.com>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021212
The FAQ-O-Matic had just the example of regex I needed! Thanks for the
In the end this is what I was essentially looking for (for archiving
purposes on the list):
access to dn="ou=([^,]+),ou=contacts,dc=example,dc=com"
by dn="uid=$1,ou=users,dc=example,dc=com" write
by users read
The goal was to have a public place within LDAP that users could
store/share contact information, and within a subtree where a search for
* would be limited to outside information, and not include users.
Essentially mail merge on this subtree, point your email client to
ou=users for completion.
If anyone knows of a nicer way to do this for reasons unforseen, please
let me know.
Mike O'Rourke wrote:
\_OpenLDAP Software FAQ
\_How do I use groups as manage access controls?
Jeremy Kuhnash <firstname.lastname@example.org> 02/14/03 04:49am >>>
This is the second question in a week with basically the same content:
How can you handle directory writing on a basis other than 'self' or
matching a single user like manager? The openldap manual _even skips_
the 'regex' method of defining ACLs, but there must be a way to do it.
too would like users to be able to store address books in LDAP for
roaming and sharing purposes ... this is huge information when being a
proponent of the use of openldap over things like Lotus Domino or Msft.
Etienne Goyer wrote:
I am currently in the planification phase a large-scale installation
OpenLDAP for a client. The installation will be used as address book
and authentification repository for various system with 12 000 usersat
first (expected to grow near 100 000 in the future).
I have of the most of the issue sorted out (backup, replication,
etc) but I still have a few interrogations concerning ACLs.
First, can the ACL directives be stored outside of slapd.conf ? For
obvious reasons, access to this file have to be pretty much
If not, that would forbid deleguation of ACL management.
Second, is there a way to have changes in ACLs directive applied
restarting the service ?
Third, is there a performance penalities for having a lot of ACL
directives ? As a side question, how are ACL processed ? Are they
applied before the search or on the results set ?
Thanks for your insight. Pointer to doc explaining these issue are
welcome. So far, my search for answers to these questions have been