[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: deleting ACL

To: openldap-software@OpenLDAP.org
Subject: Re: deleting ACL
From: Daniel Tiefnig <openldap@qmail.infonova.at>
Date: Tue, 15 Jan 2002 09:30:44 +0000 (UTC)
Organization: Infonova
References: <5.1.0.14.2.20020114154335.04864320@mailhost.atrete.ch> <5.1.0.14.2.20020114175838.00b1da18@mailhost.atrete.ch>

Alejandra Moreno wrote...:

> OK, but when you access the LDAP server from any other client, how
> does the server know the user that is attempting to connect?

i think nearly every LDAP client out there should have the possibility 
to specify a user and a passwort that will be used to bind to the 
server. i.e. the (so called) bind DN, for the example given, may be:
cn=Alejandra,dc=your,dc=org

and the password will have to match the "userpassword" attribute of that 
(the "cn=Alejandra,dc=your,dc=org") entry, stored in the LDAP server.

if there's no possibility to specify a user/password, you'll always 
"bind" as user "anonymous", which has, obviously, no password.

note that "bind as user anonymous" isn't completely true in this case. 
if a client _doesn't specify_ a bind DN and a password, slapd will 
assign the "anonymous" username to it. you can also use the (string) 
"anonymous" in your access definitions, btw.

hth,
daniel

ps: ando, thanks for your intervention, i've been a bit mazed and 
started to get annoyed, as you might have noticed.. >:o)

pps: what is the dn.exact thing about? is this kind of a speed 
optimization if there are no wildcards and thelike? (i.e. no regex-
matching) i think dn="cn=Alejandra,dc=your,dc=org" should have the same 
result? or is there more about it?

> At 16:11 14.01.2002 +0100, you wrote:
>> > Yes, that's what I meant (sorry if I was not clear!), and yes I
>> > thought there was no way to separate from add/delete from modify
>> > permissions at the attribute level. However, could I specify a
>> > single user to add/delete? How can I do that? 
>>
>>I think you should read carefully the slapd.access man page that
>>comes with HEAD code
>>
>>http://www.openldap.org/devel/cvsweb.cgi/doc/man/man5/slapd.access.5
>>
>>or have a look at the FAQ (a bit older, but basically correct)
>>
>>http://www.openldap.org/faq/data/cache/447.html
>>
>>because there are so many specific cases you may want to configure
>>access for.  Basically you may want to give access to a specific
>>set of attributes, which may belong to a specific entry or to a
>>subtree or to the whole tree.  To give a specific user write
>>permissions you must use its DN.
>>
>>So an example ACL for attributes regardless of the entry they
>>belong to is (assuming your dn is "cn=Alejandra,dc=your,dc=org"):
>>
>>access to attrs=entry,mail,description
>>         by dn.exact="cn=Alejandra,dc=your,dc=org" write
>>         by * read
>>
>>Note that you need "entry" access to be allowed to write the
>>attributes (here write means add/modify/delete)
>>
>>If you want to give access to the same attributes but only in the
>>"ou=Foo" subtree:
>>
>>access to dn.subtree="ou=Foo,dc=your,dc=org"
>>attrs=entry,mail,description 
>>         by dn.exact="cn=Alejandra,dc=your,dc=org" write
>>         by * read
>>
>>You can make this ACL much more powerful by defining a group of
>>people with the same access rights and by delegating access to the
>>members of the group.
>>
>>Pierangelo.

Follow-Ups:
- Re: deleting ACL
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

References:
- Re: deleting ACL
  - From: Alejandra Moreno <alejandra.moreno@atrete.ch>
- Re: deleting ACL
  - From: Alejandra Moreno <alejandra.moreno@atrete.ch>

Prev by Date: Re: linux-authentication via openldap
Next by Date: Re: deleting ACL
Index(es):
- Chronological
- Thread