LDAP acl n00b question
Corey Edwards
tensai at zmonkey.org
Mon Mar 30 08:20:46 MDT 2009
On Thu, 2009-03-26 at 21:33 -0600, Mike Lovell wrote:
> So I am setting up an LDAP for some user authentication and am working
> on some access control lists. Right now, I have just the rootdn that was
> set up when I installed slapd on my Debian Lenny box and that is
> currently the only account that can write to most of the directory. I
> want to set things up so that a small group of specified users have
> essentially full access to the directory. I not quite sure how to do
> this. I would like to have it so that I can add an attribute to a users
> object that would then enable access. But I am also open to other
> alternatives. Hopefully some ldap savvy guys on the list can help me out
> with some examples. Thanks.
I'm assuming this is OpenLDAP since you didn't specify. ACLs are kind of
a pain with OpenLDAP since they're hard coded into the config, which
means that any changes require a daemon restart. Not cool.
What I've come up with is to create an ou for ACLs and create groups
within it. Then I assign users to that group and they automatically get
those ACLs applied. Here's an example:
# ou to hold all the ACLs
dn: ou=acl,dc=example,dc=com
ou: acl
objectClass: organizationalUnit
# super user group
dn: cn=superusers,ou=acl,dc=example,dc=com
cn: superusers
objectClass: groupOfNames
member: <dn of user 1>
member: <dn of user 2>
# slapd.conf ACL
access to *
by self write
by group="cn=superusers,ou=acl,dc=example,dc=com" write
by * read
Corey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20090330/92366d29/attachment.bin
More information about the PLUG
mailing list