[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
question regarding ACLs
- To: <openldap-technical@openldap.org>
- Subject: question regarding ACLs
- From: "Kick, Claus" <claus.kick@siemens.com>
- Date: Mon, 6 Oct 2008 16:09:26 +0200
- Content-class: urn:content-classes:message
- Thread-index: AcknvSRjIoATZvNaRDanqcO0DFB3CA==
- Thread-topic: question regarding ACLs
Hello all,
Since there is some time, I figured I rectify our openldap configuration
and use proper ACLs.
We are using the following version on Solaris 10:
[xxxx:/opt/csw/libexec]$ ./slapd -V
@(#) $OpenLDAP: slapd 2.3.39 (Feb 22 2008 18:51:52) $
asmoore@ra
Our user subtree is organized as shown below:
o=suffix
ou=people,o=suffix
uid=kdz,ou=people,o=suffix
uid=hyc,ou=people,o=suffix
ou=removed_accounts,ou=people,o=suffix
uid=abcd,ou=removed_accounts,ou=people,o=suffix
uid=efgh,ou=removed_accounts,ou=people,o=suffix
Basically, I want a getent passwd not to list entries below
ou=removed_accounts,ou=people,o=suffix, for a client application still
considers the removed accounts as users (it probably searches the whole
subtree).
I read the documentation for 2.3:
http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control
<http://www.openldap.org/doc/admin23/slapdconfig.html>
And found this:
The scope can be either base, one, subtree, or children. Where base
matches only the entry with provided DN, one matches the entries whose
parent is the provided DN, subtree matches all entries in the subtree
whose root is the provided DN, and children matches all entries under
the DN (but not the entry named by the DN).
So, I figured that an ACL (no global ACLs any longer) like this
access to dn.one="ou=People,o=suffix" by * write
Should hide the removed accounts and only show the active ones.
But it does not, it still contains all the children of
ou=removed_accounts,ou=people,o=suffix
And of
ou=people,o=suffix
Using dn.base="ou=People,o=suffix" by * write
Works as expected and getent passwd not return any ldap users, solely
the /etc/passwd users.
The client system in question is a Solaris 10 machine, I have kept the
client configuration unchanged for the tests so far:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 127.0.0.1
NS_LDAP_SEARCH_BASEDN= o=suffix
NS_LDAP_SEARCH_TIME= 90
NS_LDAP_CACHETTL= 0
There are only two other ACLs in place:
1. access to dn.one="ou=Group,o=siemensmedical.com" by * write
This one works fine, getent group returns all the groups it should
return and the changes can be done as well.
2. access to dn.subtree="ou=Roles,o=siemensmedical.com" by * write
This one works fine as well, it returns the role structure as requested
and changes work as well.
Where am I making a mistake?
Best regards,
Claus