[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: secret attributes and connection between objectclasses

To: "Tomas Kucera" <tom.kucera@sh.cvut.cz>, "LDAP" <openldap-general@OpenLDAP.org>
Subject: Re: secret attributes and connection between objectclasses
From: "Daniell Freed" <dxf@dewittross.net>
Date: Tue, 12 Dec 2000 21:55:00 -0600
References: <00121223311800.00644@soptik.sh.cvutcz>

One way to link your projects to your people would be to make projects of
the "objectclass=groupofuniquenames".  Then use the attribute "uniquemember"
that contains the "dn" of the people that belong to the project.  This is
very similar to how email groups work.

As far as the "secretdata" attribute goes, you just need to add an acl to
your slapd.conf that prevents all access to this attribute unless bound as
'cn=admin,ou=people,dc=company,dc=country'.  I'm not sure off the top of my
head what the exact sytax would be, but look at the acl information on the
openldap website.   I think the syntzx you are looking for would be
something like:

access to attrs=secretdata
    by dn="cn=admin,ou=people,dc=company,dc=country" write
    by * none

A couple of places to look for more info would be:

http://www.openldap.org/faq/data/cache/189.html
http://www.openldap.org/doc/admin/slapdconfig.html#Access%20Control


----- Original Message -----
From: "Tomas Kucera" <tom.kucera@sh.cvut.cz>
To: "LDAP" <openldap-general@OpenLDAP.org>
Sent: Tuesday, December 12, 2000 4:27 PM
Subject: secret attributes and connection between objectclasses


> Hi,
> I'm working on a company information system and I'm using LDAP and PHP.
> I have this schema:
>
> ou=people,dc=company,dc=country
> ou=projects,dc=company,dc=country
>
> cn=person1,ou=people,dc=company,dc=country
> title,PostalAddress,telephoneNumber,givenName,sn,mail,mobile
> jpegPhoto,labeledURI,icq,linka,ou,secretdata???
> ...
>
> cn=project1,ou=projects,dc=company,dc=country
> description,list_of_people???
> ...
>
> Question is: how is possible pointed from ou=projects to ou=people. Is
there any special
> attribute?
> Second question: How to do, if i want attribute 'secretdata' in
'ou=people' invisible for
> everyone except specific person called
'cn=admin,ou=people,dc=company,dc=country'? Other attributes
> must be read and write for all.
> Has anyone some working example of structure ldap with this features?
>
> Thanks very much
>
> p.s. Sorry for my bad english.
>
> --
> --------------------------------------------------------------------------
> (o>    Tomas Kucera (kuca) student 6.rocniku FEL CVUT
> //  \    tom.kucera@sh.cvut.cz, tomas@globe.cz
> V_/_   ICQ: 33297193, TEL: 0604 704983
>        http://symuro.webzdarma.cz
> --------------------------------------------------------------------------
> Linux is like fantasy game: you can kill zombies and invoke daemons
> --------------------------------------------------------------------------
>

References:
- secret attributes and connection between objectclasses
  - From: Tomas Kucera <tom.kucera@sh.cvut.cz>

Prev by Date: Re: integer region
Next by Date: pam_gina, ldap_gina
Index(es):
- Chronological
- Thread