[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: simple ACL requirement, grant access to modify myself and my sub entries, not sure how to do it

Shane wrote:
> Hopefully someone will correct me if I'm wrong but as far as I'm aware
> you cannot log in as an ou object.

You can login with __ANY__ DN, provided you configure your server to
authenticate that identity.  As per how to do that, there are
innumerable ways (SASL in the first place, but adding a userPassword to
an organizationalUnit, which is an allowed attribute, allows simple bind
as well).  Also, identities in ACL do not imply the capability to bind
with that DN, since proxyAuthz allows, as permitted by appropriate
mechanisms, to assume any DN for the duration of an operation.
Technically, the code does not pose any limit that is not a violation of
the specifications; it's up to the administrator to limit what is
possible and what is not.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it