[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL and ACI

To: openldap-software@OpenLDAP.org
Subject: ACL and ACI
From: Armin Wenz <awenz@mtgnet.de>
Date: Mon, 23 Sep 2002 16:05:12 +0200
Organization: media transfer GmbH
User-agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.1) Gecko/20020826

Hallo all,

I got a directory structure like
c=de
    ou=user
      uid=LDAPuser...
      uid=ou2_user...
  o=org1
    ou=ou1
    ou=ou2
  o=org2

In my ACL I got
access to dn.subtree="ou=user,c=de"
  by dn="uid=LDAPuser..." write
  by anonymous auth
  by * none
access to dn.subtree="c=de"
  by dn="uid=LDAPuser..." write
  by * read

Everything is fine so far. The ou branches are created by a program and represents a customer. Usually every customer allows anonymous read access to their branch. But sometimes a customer don't. For I cannot change my config with every new customer I manage it by using ACIs. So if a customer don't want anonymous read access, I create a user (e.g. uid=ou2_user) with read access to ou=ou2. I manage this by an openLDAPaci "1#entry#grant;s,c,r;[all]#access-id#uid=ou2_user..." My ACL would now be access to dn.subtree="c=de" by dn="uid=LDAPuser..." write by aci read Now I cannot access the rest by anonymous anymore, because there is an implicit deny when no ACI is detected. It would be nice to have if aci by aci read else by * read

My question is now, how do I have to set my ACLs that if there is no ACI anonymous read access is allowed? Is this possible? It must be something like "1#entry#grant;s,c,r;[all]#access-id#anonymous"

Remember - I cannot change the configuration once the server is running.

Thanks for any ideas!

--

Armin Wenz

Follow-Ups:
- Re: ACL and ACI
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: Performance with OpenLDAP 2.0.26 and Samba
Next by Date: Re: Migrate MD5 passwords to OpenLdap 2.0.x with MigrationTools
Index(es):
- Chronological
- Thread