Problems configure access-lists - openldap-software

15 Jan 2007


      Hi!
I'm running OpenLDAP 2.3.19.
Our LDAP-structure is as below;
ou=admin,dc=example.dc=com
   cn=admlocal (objectclass=person)
   cn=admmaster (objectclass=simpleSecurityObject, organizationalRole)
ou=deps,dc=example.dc=com
   dep=dep1 (objectclass=locDep)
     cn=admin (objectclass=locAdmin)
     locId=ID11 (objectclass=locData)
     locId=ID12 (objectclass=locData)
     locUsr=USR11 (objectclass=locUser)
     .
     .
     .
   dep=dep2 (objectclass=locDep)
     cn=admuser (objectclass=locAdmin)
     locId=ID21 (objectclass=locData)
     locId=ID22 (objectclass=locData)
     locUsr=USR21 (objectclass=locUser)
Objectclasses locDep, locAdmin, locData and locUser are locally  
defined classes.
Everything works fine right now, but when I looked in sklapd.conf I  
saw a major configuration error;
The access-lists states;
access to attrs=userPassword
         by dn="cn=admmaster,ou=admin,dc=example,dc=com" write
         by anonymous auth
         by self write
         by * none
access to *
         by dn="cn=admlocal,ou=admin,dc=example,dc=com" write
         by dn="cn=admmaster,ou=admin,dc=example,dc=com" write
         by * write
I wants to tighthen this security but I can't figure out how I should  
configure my access-lists.
* cn=admmaster,ou=admin,dc=example.dc=com
Should have full access to everything
* cn=admlocal,ou=admin,dc=example.dc=com
Should have full access to everything, except userPassword
* cn=<username>,dep=<dep>,ou=deps,dc=example.dc=com
Should have full access to everything below its dep, i.e.
- cn=admin,dep=dep1,ou=deps,dc=example.dc=com should have full access  
to everything below dep=deop1,ou=deps,dc=example.dc=com and read on  
dep=deop1,ou=deps,dc=example.dc=com.
- cn=admuser,dep=dep2,ou=deps,dc=example.dc=com should have full  
access to everything below dep=dep2,ou=deps,dc=example.dc=com and read  
on dep=dep2,ou=deps,dc=example.dc=com.
The name of (class) locAdmin can be different in different deps.
I hope that I've managed to describe what I wants to achive.
/Andreas
----------------------------------------------------------------
This message was sent using IMP (http://www.horde.org).
Running on PHP 5.1.2, Apache 2.0.55, Ubuntu Dapper.