LDAP acl n00b question

Corey Edwards tensai at zmonkey.org
Mon Mar 30 08:20:46 MDT 2009


On Thu, 2009-03-26 at 21:33 -0600, Mike Lovell wrote:
> So I am setting up an LDAP for some user authentication and am working 
> on some access control lists. Right now, I have just the rootdn that was 
> set up when I installed slapd on my Debian Lenny box and that is 
> currently the only account that can write to most of the directory. I 
> want to set things up so that a small group of specified users have 
> essentially full access to the directory. I not quite sure how to do 
> this. I would like to have it so that I can add an attribute to a users 
> object that would then enable access. But I am also open to other 
> alternatives. Hopefully some ldap savvy guys on the list can help me out 
> with some examples. Thanks.

I'm assuming this is OpenLDAP since you didn't specify. ACLs are kind of
a pain with OpenLDAP since they're hard coded into the config, which
means that any changes require a daemon restart. Not cool.

What I've come up with is to create an ou for ACLs and create groups
within it. Then I assign users to that group and they automatically get
those ACLs applied. Here's an example:

        # ou to hold all the ACLs
        dn: ou=acl,dc=example,dc=com
        ou: acl
        objectClass: organizationalUnit
        
        # super user group
        dn: cn=superusers,ou=acl,dc=example,dc=com
        cn: superusers
        objectClass: groupOfNames
        member: <dn of user 1>
        member: <dn of user 2>
        
        # slapd.conf ACL
        access to *
            by self write
            by group="cn=superusers,ou=acl,dc=example,dc=com" write
            by * read

Corey

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20090330/92366d29/attachment.bin 


More information about the PLUG mailing list