Hello,
I'm quite new to LDAP and at the moment I'm really just playing around, and trying to learn how to configure and use OpenLDAP correctly.
So I set up some kind of a small address directory, as could be used by my family to have a central place, where addresses can be stored, just to keep in contact. The setup looks like this:
# reading out data as authenticated user access to dn.children="ou=people,dc=example,dc=org" by self write by users read access to dn.base="ou=people,dc=example,dc=org" by users read access to dn.base="dc=example,dc=org" by users read
This seems to work, fine: I can log in, using my dn uid=wolfgang,ou=people,dc=example,dc=org and I can change my details, and view the details of the other uids.
Then I thought, it would be nice to be able, to create my own address books within my "self" contact. Such as ou=adrbook01,uid=wolfgang,ou=people,dc=example,dc=org and have in there contacts, that can only be shown by me. All other users should be able to do the same thing, of course. So I tried to create the new ou=adrbook01 entry and got a "no write access to entry". As I understand it, I may only add and change attributes, that lie within my binddn.
So, now my question is, how can I configure slapd to enable users, to build their own subtrees, without having to give a rule for every single uid, that lies within ou=people?
Thanks in advance, Wolfgang
--On Sunday, May 03, 2009 04:14:59 AM +0200 Wolfgang Lorenz wl-chmw@gmx.de wrote:
Hello,
I'm quite new to LDAP and at the moment I'm really just playing around, and trying to learn how to configure and use OpenLDAP correctly.
So I set up some kind of a small address directory, as could be used by my family to have a central place, where addresses can be stored, just to keep in contact. The setup looks like this:
# reading out data as authenticated user access to dn.children="ou=people,dc=example,dc=org" by self write by users read access to dn.base="ou=people,dc=example,dc=org" by users read access to dn.base="dc=example,dc=org" by users read
This seems to work, fine: I can log in, using my dn uid=wolfgang,ou=people,dc=example,dc=org and I can change my details, and view the details of the other uids.
Then I thought, it would be nice to be able, to create my own address books within my "self" contact. Such as ou=adrbook01,uid=wolfgang,ou=people,dc=example,dc=org and have in there contacts, that can only be shown by me. All other users should be able to do the same thing, of course. So I tried to create the new ou=adrbook01 entry and got a "no write access to entry". As I understand it, I may only add and change attributes, that lie within my binddn.
So, now my question is, how can I configure slapd to enable users, to build their own subtrees, without having to give a rule for every single uid, that lies within ou=people?
Thanks in advance, Wolfgang
In a past life I set up a directory before where users are allowed to add entries on level down from their own entry. This was to support an application that allowed users to save URLs. The URLs marked public where displayed with their directory listing and the URL's marked private were visible only by themselves. In any case, the ACLs required to support this look like:
access to filter=(&(objectclass=urlobject)(urlprivate=Y)) by self.level{-1} write by * none
access to filter=(&(objectclass=listobject)(!(urlprivate=Y))) by self.level{-1} write by * read
Bill
Thank you,
I've found a way to achieve exactly what I wanted:
# self may write subentries no one else may read... access to dn.regex="^(.+,)+uid=([^,]+),ou=people,dc=example,dc=com$" by dn.regex="^uid=$2,ou=people,dc=example,dc=com$$" write # all may read family contacts (self may write) access to dn.one="ou=people,dc=example,dc=com" by self write by users read access to dn.base="ou=people,dc=example,dc=com" by users read access to dn.base="dc=example,dc=com" by users read
Okay, that's not what you did, but I've found an explanation of the regex-usage while searching for the self.level{<number>} syntax. Well, it's in the man pages of slapd.access and I should have looked there earlier, but I just didn't expect the possibility to use captures.
Cheers, Wolfgang
On Tue, May 5, 2009 at 3:13 PM, Wolfgang Lorenz wl-chmw@gmx.de wrote:
Thank you,
I've found a way to achieve exactly what I wanted:
# self may write subentries no one else may read... access to dn.regex="^(.+,)+uid=([^,]+),ou=people,dc=example,dc=com$" by dn.regex="^uid=$2,ou=people,dc=example,dc=com$$" write
Where possible I would use the self.level{-1} syntax in preference of regexes since it is more descriptive. It also doesn't depend on the stability and performance of the OS regex libraries (which use a lot of malloc/frees).
Am Wed, 6 May 2009 12:39:10 -0700 schrieb Sean Burford unix.gurus@gmail.com:
On Tue, May 5, 2009 at 3:13 PM, Wolfgang Lorenz wl-chmw@gmx.de wrote:
Thank you,
I've found a way to achieve exactly what I wanted:
# self may write subentries no one else may read... access to dn.regex="^(.+,)+uid=([^,]+),ou=people,dc=example,dc=com$" by dn.regex="^uid=$2,ou=people,dc=example,dc=com$$" write
Where possible I would use the self.level{-1} syntax in preference of regexes since it is more descriptive. It also doesn't depend on the stability and performance of the OS regex libraries (which use a lot of malloc/frees).
But the regex-way gives me the possibility to give write access to the whole subtree of the binddn, whereas I wouldn't know how to do this using self.level...
Anyway, I don't expect many ldap-requests, what makes me think, that I can spare some mallocs and frees. ;-) But I can see, that this might be a problem on a bigger system with much more users, than mine.
Cheers, Wolfgang
openldap-software@openldap.org
-
Bill MacAllister -
Sean Burford -
Wolfgang Lorenz