Hi, On Tuesday 06 April 2004 15:28, [EMAIL PROTECTED] wrote: > I'm developing a web-based app in perl which will front-end an > OpenLDAP server. I want to have the user authenticate before > allowing them to make changes, however, in I also want to create ACLs > on the server side which only allow certain accounts to edit certain > attributes. Is there a way I can get a list of attributes a given cn > is allowed to edit from the server so I know whether or not to > display them as editable fields on the web page? > > For example, I want to only allow the 'manager' attribute to be > edited by someone in the 'management' group, so a given user can't > edit their own manager. So this field should not be displayed as > editable to 'uid=juser' but should be editable to 'uid=jmanager'.
This depends very much on the LDAP directory server implementation. For OpenLDAP specifically: With the ACLs, that are given in slapd.conf, you are out of luck. These ACLs are applied, but not given out to clients. With in-directory ACIs there is some chance to get the attributes you are allowed to write: Search and parse the OpenLDAPaci attribute of the entry you want to change and of all the entries above this entry (because of subtree ACIs). IMHO this is almost impossible to do correcty, and besides it is highly un-portable, since other directory server vendors do it differently. Better use a configration file on the client side that determines the relation between the user's authorisation and the attributes the user is allowed to change. Of course you may also create special LDAP attributes/entries for that purpose. Peter > Also, my LDAP server is authenticating against SASL/Kerberos 5. > Since there are no entries in the LDAP password fields, how will > authentication be handled? When I do a bind and pass the server the > credentials, will it in turn get authentication against SASL/Kerb5, > or will it try and use the password field? perl-ldap supports SASL authentication. Look for SASL in the Net::LDAP man page Peter -- Peter Marschall eMail: [EMAIL PROTECTED]
