Re: OpenLDAP permissions question

[Igor Shmukler <igor.shmukler@gmail.com>]

Hi Marc,

Thank you for reading my thread and trying to help.

>> I do have entries for each database. If my suffix is, for example
>> dc=test,dc=org, administrator would be cn=admin,dc=test,dc=org
>> Administrators have manage access to their databases. This part is
>> working fine. I add and remove records as needed. You also wrote one
>> per database - this is exactly what I have.
>> Unfortunately, despite all the help, I don't see how this is relevant.
>
> I thought, this is what you want!?

I want it, and it is working fine. This is however not ALL that I want.

> This is the basic standard.
> You only have one config database.
> And one or more data databases.

You are obviously correct. Even I know this, by now.

>> I need each DIT database to work as today
>
> whatever this is ...
>
>> - be managed by an authenticated local/suffix root user.
>
> one user per database was what I talked about.
> one admin/manange/root user for all databases is even simpler: just use the
> same user in all your databases.
>
> What you cannot do (IMHO), is mapping _one_ system user to _many_ ldap
> users. But I don't think this is necessary.

Right, I also think that we cannot map one user to many because
mapping is done at config level, and there is one config per server.
This was my point.

>> I need a way to alter records in any/every DIT
>> database using another root - one that would work on ALL DITs.
>
> Use ACL!

Makes sense. I just don't know how to get ACLs to work, nor does anyone else.

>> If someone could do this before Sunday morning, please contact me to
>> discuss compensation. If I don't get to a result by Sunday morning, I
>> have to start changing the architecture so I can show something on
>> Monday. :)
>
> Good luck with that!

Thank you. I need it. Otherwise, I will have to do a huge rewrite on
Sunday. I would rather not have to do the marathon thing.

Sincerely,

Igor Shmukler