[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd-meta and acls

To: openldap-software@openldap.org
Subject: slapd-meta and acls
From: Irina Shetukhina <irka@masterhost.ru>
Date: Thu, 27 Nov 2008 20:29:40 +0300

Hi.

I have meta-backend o=vega and two databases o=vega-main and ou=devel on the same server.
I'd configure meta-backend o=vega with

suffixmassage   "o=vega" "o=vega-main"
and
suffixmassage   "ou=devel,ou=sites,o=vega" "ou=devel"

I'd like to write acls per database, but provide DIT as single suffix
o=vega.

Members of cn=sysadmins,ou=groups,o=vega (really
cn=sysadmins,ou=groups,o=vega-main) should grant write permissions
to ou=devel,ou=sites,o=vega (really ou=devel). But
they grant only read to o=vega.

Where am I wrong?

My slapd.conf:

database        meta
suffix          "o=vega"
uri             "ldap://ldap.irka.int.masterhost.ru/ou=devel,ou=sites,o=vega";
suffixmassage   "ou=devel,ou=sites,o=vega" "ou=devel"
rootdn          "cn=ldapadm,o=vega"
rootpw          X
uri             "ldap://ldap.irka.int.masterhost.ru/o=vega";
suffixmassage   "o=vega" "o=vega-main"

database        hdb
suffix          ou=devel
rootdn          "cn=ldapadm,ou=devel"
rootpw          XX
directory       /var/db/openldap-data/devel
checkpoint      32 8

access to dn.sub="ou=devel"
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,ou=vega-main" write
        by * read

database        hdb
suffix          o=vega-main
rootdn          "cn=ldapadm,o=vega-main"
rootpw          XXX
directory       /var/db/openldap-data/vega-main
checkpoint      32 8

access to
        dn.sub="ou=SUDOers,o=vega-main"
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
        by users read

access to
        dn.sub="ou=mail,o=vega-main"
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
        by users read

access to
        dn.regex="ou=.*,ou=groups,o=vega-main"
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
        by users read

access to
        dn.sub="ou=groups,o=vega-main"
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
        by users read

access to
        dn.sub="ou=users,o=vega-main" attrs=userPassword
        by self write
        by anonymous auth
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write

access to
        dn.sub="ou=users,o=vega-main" attrs=mail
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
        by users read

access to
        dn.sub="ou=users,o=vega-main" attrs=@inetOrgPerson,@inetLocalMailRecipient,@intraPerson,cn
        by self write
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
        by users read

access to
        dn.sub="ou=users,o=vega-main"
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
        by users read

access to
        dn.sub="o=vega-main"
        by anonymous auth
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
        by * read


My openldap version 2.4.11 on FreeBSD 7.0-amd64.

-- 
Irina Shetukhina

Prev by Date: Re: Can't get olcPasswordHash to take effect...
Index(es):
- Chronological
- Thread