Hello,
I have two suffixes with two bdb backends, in the first suffix you find internal and in the second suffix you find external users. Is there a solution that every uid of each person is unique in both trees together?
In slapd.conf.5 it is described, that every subtree needs a directive to use overlay unique ".. to enforce the uniqueness of some or all attributes within a subtree.".
I'm running openldap version 2.3.41.
Best regards Andreas
Andreas Schoe wrote:
I have two suffixes with two bdb backends, in the first suffix you find internal and in the second suffix you find external users.
Is there a reason for this strict distinction?
You could glue the suffixes together under a common suffix if it does not violate your security requirements and place slapo-unique there.
Ciao, Michael.
On Tue, 29 Jul 2008, Michael Ströder wrote:
I have two suffixes with two bdb backends, in the first suffix you find internal and in the second suffix you find external users.
You could glue the suffixes together under a common suffix if it does not violate your security requirements and place slapo-unique there.
Presumably, the two suffix values are known in advance as constants. Therefore it should be fairly trivial to write ACLs along the lines of:
access to dn.subtree="ou=Area1,dc=suffix" [mostlyAllow] access to dn.subtree="ou=Area2,dc=suffix" [mostlyAllow] access to dn.subtree="dc=suffix" [mostlyDeny]
which should allow slapo-unique to be used (under access internal to slapd) while not granting additional access to the external world.
Yes,
there are different reasons for this strict distinction. Especially for security reasons.
I think I have to choose the same naming context for both suffixes, if I would create a meta database and put slapo-unique there.
Is it an alternative? If it is, could I create a meta database with different naming contexts?
Aaron Richton schrieb:
On Tue, 29 Jul 2008, Michael Ströder wrote:
I have two suffixes with two bdb backends, in the first suffix you find internal and in the second suffix you find external users.
You could glue the suffixes together under a common suffix if it does not violate your security requirements and place slapo-unique there.
Presumably, the two suffix values are known in advance as constants. Therefore it should be fairly trivial to write ACLs along the lines of:
access to dn.subtree="ou=Area1,dc=suffix" [mostlyAllow] access to dn.subtree="ou=Area2,dc=suffix" [mostlyAllow] access to dn.subtree="dc=suffix" [mostlyDeny]
which should allow slapo-unique to be used (under access internal to slapd) while not granting additional access to the external world.
openldap-software@openldap.org
-
Aaron Richton -
Andreas Schoe -
Michael Ströder