2 p.m.
Hi,
i am new at this list, please forgive me my broken english.
I have two questions, first, is it possible to setup two slapd (2.4.x)
in mirror mode and add later one or more additional consumer slapd
with syncrepl? The goal is to have a 2-server-HA system (where one
server is always writeable) and distributed cache slapd's. Are there
theoretical issues?
A second problem, maybe you can give me a pointer: I would like to
assign the right to add, modify and delete an object to an attribute
inside the same object (and necessarily to the container object).
Maybe ACI and the corresponding overlay is what i need. Or can this be
solved by using regex?
Thanks a lot,
with kind regards
Jens
--
linux systeme thomas
Jens Thomas
Völklinger Straße 9
42285 Wuppertal
Telefon: +49.202.3097507
Mobil: +49.177.9301386
eFax: +49.202.85064329
Web: http://linux-systeme-thomas.de
USt-ID: DE250711901
4:04 p.m.
Jens Thomas wrote:
Hi,
i am new at this list, please forgive me my broken english.
I have two questions, first, is it possible to setup two slapd (2.4.x)
in mirror mode and add later one or more additional consumer slapd
with syncrepl? The goal is to have a 2-server-HA system (where one
server is always writeable) and distributed cache slapd's. Are there
theoretical issues?
That will work fine.
A second problem, maybe you can give me a pointer: I would like to
assign the right to add, modify and delete an object to an attribute
inside the same object (and necessarily to the container object).
Maybe ACI and the corresponding overlay is what i need. Or can this be
solved by using regex?
I don't understand this question, give a more detailed example...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
2:31 a.m.
Am 28.07.2009 um 01:04 schrieb Howard Chu:
Hi Howard,
> A second problem, maybe you can give me a pointer: I would like
to
> assign the right to add, modify and delete an object to an attribute
> inside the same object (and necessarily to the container object).
> Maybe ACI and the corresponding overlay is what i need. Or can this
> be
> solved by using regex?
I don't understand this question, give a more detailed example...
Ok, for example, i have two objects like that:
dn: ou=container,o=org,c=de
objectClass: top
objectClass: organizationalUtit
ou: container
and
dn: cn=person,ou=container,o=org,c=de
objectClass: top
objectClass: person
cn: person
sn: jackson
Now i would like to add some kind of acl to the cn=person (the
objectClass "acl" is not real, but it should demonstrate, what i need):
dn: cn=person,ou=container,o=org,c=de
objectClass: top
objectClass: person
objectClass: acl
cn: person
sn: jackson
aclAllowByDn: cn=user1,ou=users,o=org,c=de
So if the user "user1" binds successfully he has the permission to
modify the entry. When a new entry is createt or a entry is deletet, i
also need write access to the parent object in the tree, so i have to
expand the ou=container object too in some way to allow the operation.
It should be possible to assign the right to add, modify and delete
dynamically to an other ldap object, e.g. a user object.
Thanks a lot
with kind regards
Jens
--
linux systeme thomas
Jens Thomas
Völklinger Straße 9
42285 Wuppertal
Telefon: +49.202.3097507
Mobil: +49.177.9301386
eFax: +49.202.85064329
Web: http://linux-systeme-thomas.de
USt-ID: DE250711901
2:04 a.m.
On Tuesday, 28 July 2009 10:31:21 Jens Thomas wrote:
Am 28.07.2009 um 01:04 schrieb Howard Chu:
Hi Howard,
>> A second problem, maybe you can give me a pointer: I would like to
>> assign the right to add, modify and delete an object to an attribute
>> inside the same object (and necessarily to the container object).
>> Maybe ACI and the corresponding overlay is what i need. Or can this
>> be
>> solved by using regex?
>
> I don't understand this question, give a more detailed example...
Ok, for example, i have two objects like that:
dn: ou=container,o=org,c=de
objectClass: top
objectClass: organizationalUtit
ou: container
and
dn: cn=person,ou=container,o=org,c=de
objectClass: top
objectClass: person
cn: person
sn: jackson
Now i would like to add some kind of acl to the cn=person (the
objectClass "acl" is not real, but it should demonstrate, what i need):
dn: cn=person,ou=container,o=org,c=de
objectClass: top
objectClass: person
objectClass: acl
cn: person
sn: jackson
aclAllowByDn: cn=user1,ou=users,o=org,c=de
So if the user "user1" binds successfully he has the permission to
modify the entry.
This can be accomplished with a dnattr= "who" statement, in your example, that
could be something like
access to "dn.subtree="ou=container,o=org,c=de" by
dnattr="aclAllowByDn" write
The "manager" attribute is sometimes used for this purpose.
When a new entry is createt or a entry is deletet, i
also need write access to the parent object in the tree, so i have to
expand the ou=container object too in some way to allow the operation.
I think dnattr may work there as well, assuming you choose a mutli-valued DN-
valued attribute for storing the authorized DNs.
It should be possible to assign the right to add, modify and delete
dynamically to an other ldap object, e.g. a user object.
Regards,
Buchan
4987
days inactive
4989
days old
openldap-technical@openldap.org
3 comments
3 participants
participants (3)
-
Buchan Milne -
Howard Chu -
Jens Thomas