[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control

To: openldap-software@openldap.org
Subject: Re: access control
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Thu, 6 Dec 2007 13:18:23 +0200
Cc: Nathan Nobbe <quickshiftin@gmail.com>
Content-disposition: inline
In-reply-to: <7dd2dc0b0712041452g25be0dbx3e03af2c3eabddef@mail.gmail.com>
References: <7dd2dc0b0712041452g25be0dbx3e03af2c3eabddef@mail.gmail.com>
User-agent: KMail/1.9.7

On Wednesday 05 December 2007 00:52:11 Nathan Nobbe wrote:
> so now i will come to the problem.
> there is no way (that ive found in the administration guide) to
> access the entry a user authenticated against when writing the access
> control rules.

But the reverse is possible (using a regex based ACL, with dn.regex in 
the "what", and dn.extact,expand in "who", with positional paramters in the 
who tat are expanded to the values from the regex groups), which as far as I 
can tell should be sufficient for you.

> therefore in order to support the above general goal i must hardcode the
> value of the
> ou attribute into an access rule for every organizationalUnit in the tree.
> obviously this is an maintenance nightmare as i would need to support
> modification of
> the slapd.conf file if i wanted to create an interface where administrators
> could add /

If you had to update ACLs, writing to slapd.conf is not strictly necessary, as 
back-config would allow you to do it via LDAP.

> remove organizationalUnits or modify the value of their ou attribute.

Regards,
Buchan

References:
- access control
  - From: "Nathan Nobbe" <quickshiftin@gmail.com>

Prev by Date: slave-to-master replica
Next by Date: Re: ldap queries rewriting
Index(es):
- Chronological
- Thread