[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Control confusion

To: "OpenLDAP-Software@OpenLDAP.org" <OpenLDAP-Software@OpenLDAP.org>
Subject: Access Control confusion
From: Craig Morrison <craig@2cah.com>
Date: Thu, 14 Mar 2002 20:35:19 -0500
Organization: Computers At Home

I am a beginner with OpenLDAP so please pardon my ignorance. Pointers to
relevant topics or suggestions would be greatly appreciated.

I've got OpenLDAP up and running successfully with the default access controls
(access to * by * read). What I need to do is allow access to specific
portions of a database using the following format:

<slapd.conf snippet>
database	ldbm
suffix		""
rootdn		"cn=craig,dc=2cah,dc=com"
rootpw		xxxxx
# Indices to maintain
index	objectClass,cn,mail	pres,eq
</slapd.conf snippet>

<LDIF snippet>
dn: cn=Postmaster, dc=2cah, dc=com
cn: Postmaster@2cah.com
o: 2cah.com
sn: Postmaster
mail: Postmaster@2cah.com
userPassword:: Y2ExOTYz
objectClass: inetorgperson

dn: cn=Postmaster, dc=ezmts, dc=org
cn: Postmaster@ezmts.org
o: ezmts.org
sn: Postmaster
mail: Postmaster@ezmts.org
userPassword:: Y2ExOTYz
objectClass: inetorgperson
</LDIF snippet>

Users from dc=2cah,dc=com should only be able to see the entries for 2cah.com
but not for ezmts.org and the other way round using simple authentication.

I've been beating my head up against a wall trying to figure this out. I've
read the portion of the admin guide covering ACIs but it still isn't sinking
in.

Suggestions would be greatly appreciated. Thank you.

-- 

Craig Morrison
  http://www.mtsprofessional.com/
  A Win32 Email server that works for you.

Follow-Ups:
- Re: Access Control confusion
  - From: Craig Morrison <craig@2cah.com>
- Re: Access Control confusion
  - From: Thomas Nau <thomas.nau@rz.uni-ulm.de>

Prev by Date: Re: Simplest Possible Access Control
Next by Date: OT: Octetstring spam
Index(es):
- Chronological
- Thread