Hi,
i am new at this list, please forgive me my broken english.
I have two questions, first, is it possible to setup two slapd (2.4.x) in mirror mode and add later one or more additional consumer slapd with syncrepl? The goal is to have a 2-server-HA system (where one server is always writeable) and distributed cache slapd's. Are there theoretical issues?
A second problem, maybe you can give me a pointer: I would like to assign the right to add, modify and delete an object to an attribute inside the same object (and necessarily to the container object). Maybe ACI and the corresponding overlay is what i need. Or can this be solved by using regex?
Thanks a lot, with kind regards
Jens
Jens Thomas wrote:
Hi,
i am new at this list, please forgive me my broken english.
I have two questions, first, is it possible to setup two slapd (2.4.x) in mirror mode and add later one or more additional consumer slapd with syncrepl? The goal is to have a 2-server-HA system (where one server is always writeable) and distributed cache slapd's. Are there theoretical issues?
That will work fine.
A second problem, maybe you can give me a pointer: I would like to assign the right to add, modify and delete an object to an attribute inside the same object (and necessarily to the container object). Maybe ACI and the corresponding overlay is what i need. Or can this be solved by using regex?
I don't understand this question, give a more detailed example...
Am 28.07.2009 um 01:04 schrieb Howard Chu:
Hi Howard,
A second problem, maybe you can give me a pointer: I would like to assign the right to add, modify and delete an object to an attribute inside the same object (and necessarily to the container object). Maybe ACI and the corresponding overlay is what i need. Or can this be solved by using regex?
I don't understand this question, give a more detailed example...
Ok, for example, i have two objects like that:
dn: ou=container,o=org,c=de objectClass: top objectClass: organizationalUtit ou: container
and
dn: cn=person,ou=container,o=org,c=de objectClass: top objectClass: person cn: person sn: jackson
Now i would like to add some kind of acl to the cn=person (the objectClass "acl" is not real, but it should demonstrate, what i need):
dn: cn=person,ou=container,o=org,c=de objectClass: top objectClass: person objectClass: acl cn: person sn: jackson aclAllowByDn: cn=user1,ou=users,o=org,c=de
So if the user "user1" binds successfully he has the permission to modify the entry. When a new entry is createt or a entry is deletet, i also need write access to the parent object in the tree, so i have to expand the ou=container object too in some way to allow the operation.
It should be possible to assign the right to add, modify and delete dynamically to an other ldap object, e.g. a user object.
Thanks a lot with kind regards
Jens
On Tuesday, 28 July 2009 10:31:21 Jens Thomas wrote:
Am 28.07.2009 um 01:04 schrieb Howard Chu:
Hi Howard,
A second problem, maybe you can give me a pointer: I would like to assign the right to add, modify and delete an object to an attribute inside the same object (and necessarily to the container object). Maybe ACI and the corresponding overlay is what i need. Or can this be solved by using regex?
I don't understand this question, give a more detailed example...
Ok, for example, i have two objects like that:
dn: ou=container,o=org,c=de objectClass: top objectClass: organizationalUtit ou: container
and
dn: cn=person,ou=container,o=org,c=de objectClass: top objectClass: person cn: person sn: jackson
Now i would like to add some kind of acl to the cn=person (the objectClass "acl" is not real, but it should demonstrate, what i need):
dn: cn=person,ou=container,o=org,c=de objectClass: top objectClass: person objectClass: acl cn: person sn: jackson aclAllowByDn: cn=user1,ou=users,o=org,c=de
So if the user "user1" binds successfully he has the permission to modify the entry.
This can be accomplished with a dnattr= "who" statement, in your example, that could be something like
access to "dn.subtree="ou=container,o=org,c=de" by dnattr="aclAllowByDn" write
The "manager" attribute is sometimes used for this purpose.
When a new entry is createt or a entry is deletet, i also need write access to the parent object in the tree, so i have to expand the ou=container object too in some way to allow the operation.
I think dnattr may work there as well, assuming you choose a mutli-valued DN- valued attribute for storing the authorized DNs.
It should be possible to assign the right to add, modify and delete dynamically to an other ldap object, e.g. a user object.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Howard Chu -
Jens Thomas