[Date Prev][Date Next]
I would like to have 2 users with separate ACLs for openldap:
uid=Ldaproot,dc=domain,dc=com with full access to the database.
uid=Sambaroot,dc=domain,dc=com with access only to samba entries which
belong to the samba* attribute types and also to ou=Machines and ou=Idmap.
I do not want to have a rootdn entry in slapd.conf. The Ldaproot user
will have a kerberos principal with an unknown password that will be
stored in a keytab which will be used to perform gssapi auths whenever we
need to add/remove information to ldap using some scripts.
Since Sambaroot needs to have an entry in /etc/samba/secrets.tdb which is
pretty much plaintext and since samba cannot use keytabs, I would like to
provide the user uid=Sambaroot,dc=domain,dc=com with ACLs to be able to
add one entry to the root of the ldap database:
The information above changes with the domain name, so it is not like I
can add it once as Ldaproot and then let Sambaroot modify it.
How do I create an ACL to allow uid=Sambaroot to add such entry without
giving full write access?
I also need to allow Sambaroot to modify all attributetypes for samba. Is
there any other way to do this better than:
access to dn.one="ou=People,dc=math,dc=gatech,dc=edu" attr=objectClass
by * read
( I need to do the one above or the one below will block read acces to
everything since objectClass is listed as an attribute).
access to dn.one="ou=People,dc=math,dc=gatech,dc=edu" attrs=sambaSID,samba
by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
Diego Julian Remolina
School of Mathematics
Georgia Institute of Technology