[EMAIL PROTECTED] wrote:
> Prendendo come riferimento la seguente struttura:
>
> o=ditta,c=it
> |
> °----°Rubrica
> | |
> | °----cn=admin
> | |
> | °----Amministrazione
> | | |
> | | °----cn=admin
> | |
> | °----Vendite
> | | |
> | | °----cn=admin
> | |
> | °----Magazino
> | |
> | °----cn=admin
> |
> °----Altro
>
> e di seguto riportato l'ACL inserita in slapd.conf:
>
> access to dn.subtree="ou=Amministrazione,ou=Rubrica,o=ditta,c=it"
> by dn="cn=admin,ou=Amministrazione,ou=Rubrica,o=ditta,c=it" write
> by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=admin,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=anonymous,o=ditta,c=it" read
> by self write
> by anonymous auth
>
> access to dn.subtree="ou=Vendite,ou=Rubrica,o=ditta,c=it"
> by dn="cn=admin,ou=Vendite,ou=Rubrica,o=ditta,c=it" write
> by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=admin,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=anonymous,o=ditta,c=it" read
> by self write
> by anonymous auth
>
> access to dn.subtree="ou=Magazino,ou=Rubrica,o=ditta,c=it"
> by dn="cn=admin,ou=Magazino,ou=Rubrica,o=ditta,c=it" write
> by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=admin,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=anonymous,o=ditta,c=it" read
> by self write
> by anonymous auth
>
> access to dn.subtree=",ou=Rubrica,o=ditta,c=it"
> by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=admin,ou=Rubrica,o=ditta,c=it" write
> by dn="cn=anonymous,o=ditta,c=it" read
> by self write
> by anonymous auth
>
> e tenuto conto che per ogni cn=admin e' impostata anche una userPassword.
>
> La domanda e':
>
> 1) e' possibile inserire un utente cn=admin nel db che abbia i privileggi
> di scrittura nel suo ramo di pertinenza senza dover senpre aggiornare
> le ACL nel file slapd.conf.
>
> 2) se si prendendo in riferimento la struttura su riportata e' possibile
> fare un esempio.
Si, si:
# accesso ai sotto-rami; in particolare, cn=admin del sotto-ramo
# ha accesso in scrittura
access to dn.regex="(.+,)?ou=([^,]+),ou=Rubrica,o=ditta,c=it"
by dn.expand="cn=admin,$2,ou=Rubrica,o=ditta,c=it" write
by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write
by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write
by dn="cn=anonymous,o=ditta,c=it" read
by self write
by anonymous auth
# accesso a tutto il resto che non e' intercettato dalla regola
# sopra; in particolare, ci sono glu stessi "by" tranne il cn=admin
# del sotto-ramo.
access to dn.subtree="ou=Rubrica,o=ditta,c=it"
by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write
by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write
by dn="cn=anonymous,o=ditta,c=it" read
by self write
by anonymous auth
Ciao, p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: [EMAIL PROTECTED]
---------------------------------------
_______________________________________________
OpenLDAP mailing list
[email protected]
https://www.sys-net.it/mailman/listinfo/openldap
