simple ACL requirement, grant access to modify myself and my sub entries, not sure how to do it
Dear all. In my installation it's required if someone logs in, he can modify his own entry and can modify & delete & create entries of his own entry, e.g.
login as: dn: ou=Support,o=Real Softservice
Then I should be able to modify & delete & create:
dn: cn=Wang Penghui,ou=Suport,o=Real Softservice
dn: cn=Zhang Weiwu,ou=Suport,o=Real Softservice
dn: cn=Wolfgang Scheuing,ou=Suport,o=Real Softservice
Looks like a simple requirement. Anyway I dug into ACL manual for days without a clue (maybe also because of my bad English). Can anyone provide a hint and simplified example? Thanks a lot in advance!
Hopefully someone will correct me if I'm wrong but as far as I'm aware you cannot log in as an ou object.
I'd has setup and admin user for dn: ou=Support,o=Real Softservice eg:
cn=admin,ou=Support,o=Real Softservice
then create an ACL like
access to dn.base="ou=Support,o=Real Softservice" by dn.exact="cn=admin,ou=Support,o=Real Softservice" write by * read
So when you login as cn=admin,ou=Support,o=Real Softservice you will have access create / edit the full tree under ou=Support,o=Real Softservice.
Shane.
On 09/05/07, Zhang Weiwu zhangweiwu@realss.com wrote:
Dear all. In my installation it's required if someone logs in, he can modify his own entry and can modify & delete & create entries of his own entry, e.g.
login as: dn: ou=Support,o=Real Softservice
Then I should be able to modify & delete & create:
dn: cn=Wang Penghui,ou=Suport,o=Real Softservice
dn: cn=Zhang Weiwu,ou=Suport,o=Real Softservice
dn: cn=Wolfgang Scheuing,ou=Suport,o=Real Softservice
Looks like a simple requirement. Anyway I dug into ACL manual for days without a clue (maybe also because of my bad English). Can anyone provide a hint and simplified example? Thanks a lot in advance!
-- Zhang Weiwu Real Softservice http://www.realss.com +86 592 2091112
Shane wrote:
Hopefully someone will correct me if I'm wrong but as far as I'm aware you cannot log in as an ou object.
You can login with __ANY__ DN, provided you configure your server to authenticate that identity. As per how to do that, there are innumerable ways (SASL in the first place, but adding a userPassword to an organizationalUnit, which is an allowed attribute, allows simple bind as well). Also, identities in ACL do not imply the capability to bind with that DN, since proxyAuthz allows, as permitted by appropriate mechanisms, to assume any DN for the duration of an operation. Technically, the code does not pose any limit that is not a violation of the specifications; it's up to the administrator to limit what is possible and what is not.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On Thu, 2007-05-10 at 00:29 +0930, Shane wrote:
Hopefully someone will correct me if I'm wrong but as far as I'm aware you cannot log in as an ou object.
I'd has setup and admin user for dn: ou=Support,o=Real Softservice eg:
cn=admin,ou=Support,o=Real Softservice
then create an ACL like
access to dn.base="ou=Support,o=Real Softservice" by dn.exact="cn=admin,ou=Support,o=Real Softservice" write by * read
Such ACL is just fine and understandable for me, but in my case I have 3000 ou in my ldap repository belonging to more than 1500 'o' entries, and each ou have many persons in it, each 'o' and 'ou' need to login, if I use your syntax I will need to add 4500 ACL rules to my slapd.conf and buy a super powerful computer for that...
Zhang Weiwu wrote:
Dear all. In my installation it's required if someone logs in, he can modify his own entry and can modify & delete & create entries of his own entry, e.g. [..] Looks like a simple requirement. Anyway I dug into ACL manual for days without a clue (maybe also because of my bad English). Can anyone provide a hint and simplified example? Thanks a lot in advance!
The FAQ-O-MATIC contains very useful example ACLs:
http://www.openldap.org/faq/data/cache/189.html
Ciao, Michael.
openldap-software@openldap.org
-
Michael Ströder -
Pierangelo Masarati -
Shane -
Zhang Weiwu