[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL questions.

Hi everyone,

I would like to have 2 users with separate ACLs for openldap:
uid=Ldaproot,dc=domain,dc=com  with full access to the database.
uid=Sambaroot,dc=domain,dc=com with access only to samba entries which
belong to the samba* attribute types and also to ou=Machines and ou=Idmap.

I do not want to have a rootdn entry in slapd.conf.  The Ldaproot user
will have a kerberos principal with an unknown password that will be
stored in a keytab which will be used to perform gssapi auths whenever we
need to add/remove information to ldap using some scripts.

Since Sambaroot needs to have an entry in /etc/samba/secrets.tdb which is
pretty much plaintext and since samba cannot use keytabs, I would like to
provide the user uid=Sambaroot,dc=domain,dc=com with ACLs to be able to
add one entry to the root of the ldap database:

dn: sambaDomainName=GT-MATH-TEST,dc=math,dc=gatech,dc=edu
objectClass: sambaDomain
sambaDomainName: GT-MATH-TEST
sambaSID: S-1-5-21-2135209786-3363987198-2266210874
sambaAlgorithmicRidBase: 1000

The information above changes with the domain name, so it is not like I
can add it once as Ldaproot and then let Sambaroot modify it.

How do I create an ACL to allow uid=Sambaroot to add such entry without
giving full write access?

I also need to allow Sambaroot to modify all attributetypes for samba.  Is
there any other way to do this better than:

access to dn.one="ou=People,dc=math,dc=gatech,dc=edu" attr=objectClass
	by * read
( I need to do the one above or the one below will block read acces to
everything since objectClass is listed as an attribute).

access to dn.one="ou=People,dc=math,dc=gatech,dc=edu" attrs=sambaSID,samba
	by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write



Diego Julian Remolina
System Administrator
School of Mathematics
Georgia Institute of Technology