[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: sasl UID mapping
--On Sunday, January 25, 2004 10:15 PM +0000 Paul Jakma <paul@clubi.ie>
wrote:
Hi Quanah,
On Sat, 17 Jan 2004, Quanah Gibson-Mount wrote:
Paul,
I'm going to give you a helping hand. :)
Actually, I was already using some of your other posts to the lists
as reference (well, perhaps not yours, but definitely
from stanford.edu). :)
Most likely me then. ;)
Here's the beginning of our ACL file that allows this to happen without
given read access:
# $Id: slapd.acl,v 1.124 2003/12/18 03:16:42 quanah Exp $
# ACL include file for slapd
#
access to dn.base=""
by * read
ok, had this.
access to dn.base="cn=monitor"
by * read
What is this for?
We enable the monitor backend (see back-monitor)
access to *
by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
by * break
Woudlnt this then prevent
group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" gainning any
other permissions, eg write? Or do you have other more specific ACLs
previous to this ACL?
Yes, ldapAdmin is different than Supervisor. Supervisor has write,
ldapadmin has read. ;)
Supervisor is a small subset of ldapAdmin.
access to attrs=krb5PrincipalName,member,suseasstatus
by anonymous compare
by * break
This i have.
Note that I doubt you need suseasstatus, since that is our own custom
attribute. ;) Also, krb5PrincipalName only applies if you are using the
krb5 schema from PADL (part of the CVS checkout from OpenLDAP, but not
included in distributions. Stanford has patched it some to bring it up to
date with current OpenLDAP releases, but that is not committed back into
the OpenLDAP tree.
access to attrs=entry
by * read
--Quanah
Thanks!
Glad it helped. :)
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html