[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: overlay unique - multiple suffixes


there are different reasons for this strict distinction. Especially for security reasons.

I think I have to choose the same naming context for both suffixes, if I would create a meta database and put slapo-unique there.

Is it an alternative? If it is, could I create a meta database with different naming contexts?

Aaron Richton schrieb:
On Tue, 29 Jul 2008, Michael Ströder wrote:

I have two suffixes with two bdb backends, in the first suffix you find internal and in the second suffix you find external users.

You could glue the suffixes together under a common suffix if it does not violate your security requirements and place slapo-unique there.

Presumably, the two suffix values are known in advance as constants. Therefore it should be fairly trivial to write ACLs along the lines of:

access to dn.subtree="ou=Area1,dc=suffix" [mostlyAllow]
access to dn.subtree="ou=Area2,dc=suffix" [mostlyAllow]
access to dn.subtree="dc=suffix" [mostlyDeny]

which should allow slapo-unique to be used (under access internal to slapd) while not granting additional access to the external world.