[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: REPOST::: SubtreeAdmin in openLDAP v3

To: joerg.fritsch@planet-interkom.de
Subject: Re: REPOST::: SubtreeAdmin in openLDAP v3
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Mon, 14 Jan 2002 20:55:28 +0100 (MET)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <E666AF86-0925-11D6-83F4-0030657EB0C4@planet-interkom.de> from Joerg Fritsch at Jan "14," 2002 "08:35:43" pm

> Hi there,
> 
> I have installed openLDAP v3 and it seems to be running very smoothly. 
> However I always thought that one of the great strengths of LDAP is the 
> possibility to create different subtrees, thereby each subtree having 
> its very own admin with write privileges.

This has always been possible, with OpenLDAP 1.X as well as with 2.0.X

> 
> Lets's say I have the tree
> 
> records
>   I
>   I-- store a
>   I
>   I-- store b

You can use two separate databases, e.g.

database	ldbm
suffix		"o=a,dc=suffix"
rootdn		"cn=manager,o=a,dc=suffix"
...

database	ldbm
suffix		"o=b,dc=suffix"
rootdn		"cn=manager,o=b,dc=suffix"

or a single database, 

database	ldbm
suffix		"dc=suffix"
rootdn		"cn=manager,dc=suffix"

where access to subtrees is delegated to normal users with full access
privileges.

> 
> Both subtrees (store a and store b) have the same scheme which is 
> included via slapd.conf. Ich have included core.schema also.  Each 
> subtree is containing the data of records only; -no users. The 
> "unsolvable" problem is to create two admins (one for the subtree store 
> a and the other one for store b) having only read / write privileges on 
> his very own subtree.
> 
> With openLDAP 1.2 I simply can add an accessline like this:
> access to ou=store_a,o=records by cn=admin_store_a,ou=admins,o=records 
> write
> 
> In openLDAP v3 I get obscure errors. Sometimes it doesen't work at all, 
> at other times it says "no write access to parent". Have they changed 
> accesslines that much in openLDAP v3 ?

Access control is much more sophisticated in OpenLDAP 2.0; to access
an entry's attributes you need to have access to the meta-attribute
"entry"; to add/delete an entry you need write access to the
meta-attribute "children".

Your example should read:

access to dn.exact="ou=store_a,o=records"
	by dn.exact="cn=admin_store_a,ou=admins,o=records" write
	...

The problem of your approach is that ACLs by default are not additive.
They cn be made additive by using control clauses like continue, break,
stop.  You should read carefully the ACL documentation: 

http://www.openldap.org/devel/cvsweb.cgi/doc/man/man5/slapd.access.5

http://www.openldap.org/faq/data/cache/447.html

Pierangelo.

References:
- REPOST::: SubtreeAdmin in openLDAP v3
  - From: Joerg Fritsch <joerg.fritsch@planet-interkom.de>

Prev by Date: Re: AW: Backup && Restore
Next by Date: Re: Running OpenLDAP on Windows NT/2000
Index(es):
- Chronological
- Thread