|
Hi, This is my tree c=MY o=A ou=a1 o=B ou=a2 o=C ou=a3 What i need to do is that only ou=a3 subtree and its children CAN ONLY be access by A closed user group ie users under this tree should have access toi it. This closed user group accesses it via a username-password. Only one pair required for the whole community of this closed user group to access /read it. My access list configuration in the slapd.conf is as such:- access to dn="ou=a3,o=C,c=MY" by users read access to * by * read When i check via an ldap browser, i managed to achieve this, that is i can view ou=a1, ou=a2, o=C. ou=a3 cannot be seen. However to view the ou=a3: I did this ... reconfigure the ldap browser base entry as o=C,c=MY and set the username and password to point to the rootdn/rootpassword........ which should not be the case. Is there a way to introduce a specific one just for that tree ? As Quanah mentioned u can't lock down the tree. So how could one achieve this .. any workaround ? My project is a migratory project. Current one is running on CriticalPath and it could do that. Hence, I'm ensuring the look and feel is not changed hence my requirement above. Could anyone propose any suggestions ? .sakthi ----- Original Message ----- From: "Quanah Gibson-Mount" <quanah@stanford.edu> To: <openldap-software@OpenLDAP.org> Cc: "Sivasakthi d/o Sivagnanam" <sakthi@digicert.com.my> Sent: Wednesday, June 09, 2004 7:16 AM Subject: Re: OpenLDAP: ACL : urgent > > > --On Monday, June 07, 2004 5:00 PM +0800 "Sivasakthi d/o Sivagnanam" > <sakthi@digicert.com.my> wrote: > > > Hi, > > > > I have the following stru for my OpenLDAP DIT:- > > ROOT has subtree A and subtree B > > > > How do I go about setting a specific username|password for subtree B so > > that only a group of users is able to read only, write only and > > read+write ? > > There's not a whole lot here to go on. > > You don't lock down a tree by username/password. You set up acl's saying > what group of users (or users) have access to a tree. > > > Like: > > access to dn.base="cn=treeB,dc=digicert,dc=com,dc=my" > by group.base="cn=usergroup,dc=digicert,dc=com,dc=my" read > by dn.base="uid=sakthi,dc=digicert,dc=com,dc=my" write > by * break > > or something along those lines. I suggest reading: > > man slapd.access > > to see how to do write only (since "write" implies read+write). > > --Quanah > > -- > Quanah Gibson-Mount > Principal Software Developer > ITSS/Shared Services > Stanford University > GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html |