[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL questions.

To: openldap-software@OpenLDAP.org
Subject: ACL questions.
From: Diego Julian Remolina <dijuremo@math.gatech.edu>
Date: Mon, 8 Mar 2004 15:48:27 -0500 (EST)
In-reply-to: <404CB6F4.60700@campana.vi.it>
References: <404CA729.7090207@campana.vi.it> <20040308173354.GA37753@leela.mars.de> <404CB6F4.60700@campana.vi.it>

Hi everyone,

I would like to have 2 users with separate ACLs for openldap:
uid=Ldaproot,dc=domain,dc=com  with full access to the database.
uid=Sambaroot,dc=domain,dc=com with access only to samba entries which
belong to the samba* attribute types and also to ou=Machines and ou=Idmap.

I do not want to have a rootdn entry in slapd.conf.  The Ldaproot user
will have a kerberos principal with an unknown password that will be
stored in a keytab which will be used to perform gssapi auths whenever we
need to add/remove information to ldap using some scripts.

Since Sambaroot needs to have an entry in /etc/samba/secrets.tdb which is
pretty much plaintext and since samba cannot use keytabs, I would like to
provide the user uid=Sambaroot,dc=domain,dc=com with ACLs to be able to
add one entry to the root of the ldap database:

dn: sambaDomainName=GT-MATH-TEST,dc=math,dc=gatech,dc=edu
objectClass: sambaDomain
sambaDomainName: GT-MATH-TEST
sambaSID: S-1-5-21-2135209786-3363987198-2266210874
sambaAlgorithmicRidBase: 1000

The information above changes with the domain name, so it is not like I
can add it once as Ldaproot and then let Sambaroot modify it.

How do I create an ACL to allow uid=Sambaroot to add such entry without
giving full write access?

I also need to allow Sambaroot to modify all attributetypes for samba.  Is
there any other way to do this better than:

access to dn.one="ou=People,dc=math,dc=gatech,dc=edu" attr=objectClass
	by * read
( I need to do the one above or the one below will block read acces to
everything since objectClass is listed as an attribute).

access to dn.one="ou=People,dc=math,dc=gatech,dc=edu" attrs=sambaSID,samba
LMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,s
ambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,sambaHo
mePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,sambaPrimaryGroupSI
D,sambaDomainName,displayName,objectClass
	by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write

Thanks,

Diego

----------------------------------
Diego Julian Remolina
System Administrator
School of Mathematics
Georgia Institute of Technology
----------------------------------

Follow-Ups:
- Re: ACL questions.
  - From: Tony Earnshaw <tonye@billy.demon.nl>
- Re: ACL questions. Answered (long)
  - From: Diego Julian Remolina <dijuremo@math.gatech.edu>

References:
- problem with access control
  - From: Ottavio Campana <ottavio@campana.vi.it>
- Re: problem with access control
  - From: Ottavio Campana <ottavio@campana.vi.it>

Prev by Date: Re: LDAPI documentation (was Re: Graphical LDAP clients with SASL support)
Next by Date: Re: openldap-2.1.27 - slapd not dying
Index(es):
- Chronological
- Thread