[Date Prev][Date Next] [Chronological] [Thread] [Top]

Simple ACL's for certificate revocation list LDAP

To: openldap-software@OpenLDAP.org
Subject: Simple ACL's for certificate revocation list LDAP
From: Kimmo Koivisto <kimmo.koivisto@surfeu.fi>
Date: Wed, 23 Mar 2005 23:44:44 +0200
Content-disposition: inline
User-agent: KMail/1.8

Hello

This is my second problem today, not the same as earlier post about mapping 
certs to ACL users.

My environment:
Openldap 2.2.13-2 (RHEL4) as LDAP server. CA-system which publishes 
certificates and revocation lists to the LDAP.

LDAP's fqdn is ldap.kimmo.local and CA-system is ca.kimmo.local. LDAP server 
has also secondary IP with fqdn ldap2.kimmo.local. LDAP's rootdn is 
cn=manager,c=fi. LDAP structure is as follows:

c=fi
	\----o=company
		\----cn=company CA (crl and cacert are here)
		\----cn=user 1 (user cert is here)
		\----cn=user 2
		\----cn=user 3

	\----o=admins
		\----cn=ca-admin

I would like to define ACL's so, that:

1. anonymous users can read everything (certificates, revocation lists and 
other attributes under user and CA entries). No access under o=admins,c=fi

2A. CA-system can read and write anything, binding as rootdn only when source 
IP is ca.kimmo.local

2B  CA-system can read and write anything, binding as existing ldap user 
cn=ca-admin only when source IP is ca.kimmo.local

2C  CA-system can read and write anything, binding as existing ldap user 
cn=ca-admin only when source IP is ca.kimmo.local and destination IP is the 
secondary IP

2D  CA-system can read and write anything, using TLS client auth only when 
source IP is ca.kimmo.local

I have no idea how the ACL's should be defined. I need to have option 1 and 
one 2X. In any case, writing from CA would be TLS Server authenticated and 
encrypted.

Any help or pointers to the examples or howtos?

Regards
Kimmo Koivisto

Prev by Date: Re: ldap_start_tls_s() error NOT SUPPORTTED
Next by Date: Re: 2.0.27 replicating to 2.2.15
Index(es):
- Chronological
- Thread