[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cn=Log,cn=Monitor

To: <michael@stroeder.com>
Subject: Re: cn=Log,cn=Monitor
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 7 Apr 2003 08:00:17 +0200 (CEST)
Cc: <ando@sys-net.it>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <3E8EFFBF.4030705@stroeder.com>
References: <DC7AAC9FAF16D711B8A7000629A81695676B6E@C010893.winterthur.ch> <20030331134241.GB10095@brick.skills-1st.co.uk> <3E8ED65A.6010909@swissonline.ch> <2437.81.74.43.82.1049554096.squirrel@webmail.sys-net.it> <3E8EF91F.3080106@stroeder.com> <2648.81.74.43.82.1049557932.squirrel@webmail.sys-net.it> <3E8EFFBF.4030705@stroeder.com>

> Pierangelo Masarati wrote:
>>
>> the values are internally converted to their numerical
>> representation and ORed;
>
> Great.
>
>> Of course you need write permission on that entry and on
>> that value, which is easily obtained by means of ACLs.
>>
>> I don't remenber if a rootdn/rootpw is honored
>
> rootdn does not seem to work. If the access rights are insufficient I'd
> like  to get another error code.
>
>> backend; however it'd be of little use; my usual strategy
>> is to add ACLs that allow regular users belonging to other
>> databases to operate on monitor entries.
>
> Makes sense to me. I'll try with ACLs. Can you please post an example?

database bdb # any other database ...
suffix "dc=example,dc=com"
# ...

database monitor
access to *
    by dn.exact="uid=Administrator,ou=People,dc=example,dc=com" write
    by dn="uid=[^,]+,ou=People,dc=example,dc=com" read
    by * none

I checked out that you can also add a rootdn/rootpw pair
and bypass acl checks; the naming context of the rootdn,
of course, must be "cn=Monitor".

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: cn=Log,cn=Monitor
  - From: Michael Ströder <michael@stroeder.com>
- Re: cn=Log,cn=Monitor
  - From: Dieter Kluenter <dieter@dkluenter.de>

References:
- Re: Open LDAP and SNMP
  - From: vadim tarassov <vadim.tarassov@swissonline.ch>
- Re: Open LDAP and SNMP
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- cn=Log,cn=Monitor (was: Open LDAP and SNMP)
  - From: Michael Ströder <michael@stroeder.com>
- Re: cn=Log,cn=Monitor (was: Open LDAP and SNMP)
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: cn=Log,cn=Monitor
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Storing X509 certificates in LDAP?
Next by Date: Re: cn=Log,cn=Monitor (was: Open LDAP and SNMP)
Index(es):
- Chronological
- Thread