[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Dynamic configuration / admin users

On 10/19/12 12:36 +0900, Simon Walter wrote:
Debian Squeeze is using the dynamic configuration. While I am sure there are benefits, all the documentation is for static configuration (slapd.conf).

I've got a basic tree up and running and several services are using it no problem. There are several things I'd like to do, like replication. For this and some other services, SOGo for example, that don't bind anonymously, I'd like to create some more users for this. I could be mistaken, but perhaps they need some kind of admin privileges. If not, that means that any user can modify anything in the tree.

I'm not familiar with SOGo. A typical configuration might include a rootdn
for configuration purposes, and one or more administrative users which are
allowed piecemeal access to add/change your tree, restricted by ACLs.

Those administrative users can be user entries within your tree, or sasl
(authc) identities.

I see various information about ACI and ACL and access.conf. I can't find clear documentation about how any of this relates to dynamic configurations.

See the manpage for slapd-config, and the OpenLDAP Administrator's Guide;
Chapter 8 covers Access Control.

To conclude, how do I add additional users to a dynamic configured openldap tree and configure those users with specific access permissions?

*Adding* users shouldn't be any different (the tree itself is no different,
only the configuration backend). ACL configuration for you will be a
one-to-one mapping from the slapd.conf config statements, in whatever
documentation you're reading, to the slapd-config dynamic config statements
(compare the slapd.conf and slapd-config manpages).

Dan White