On Thu, 2009-03-26 at 21:33 -0600, Mike Lovell wrote: > So I am setting up an LDAP for some user authentication and am working > on some access control lists. Right now, I have just the rootdn that was > set up when I installed slapd on my Debian Lenny box and that is > currently the only account that can write to most of the directory. I > want to set things up so that a small group of specified users have > essentially full access to the directory. I not quite sure how to do > this. I would like to have it so that I can add an attribute to a users > object that would then enable access. But I am also open to other > alternatives. Hopefully some ldap savvy guys on the list can help me out > with some examples. Thanks.
I'm assuming this is OpenLDAP since you didn't specify. ACLs are kind of
a pain with OpenLDAP since they're hard coded into the config, which
means that any changes require a daemon restart. Not cool.
What I've come up with is to create an ou for ACLs and create groups
within it. Then I assign users to that group and they automatically get
those ACLs applied. Here's an example:
# ou to hold all the ACLs
dn: ou=acl,dc=example,dc=com
ou: acl
objectClass: organizationalUnit
# super user group
dn: cn=superusers,ou=acl,dc=example,dc=com
cn: superusers
objectClass: groupOfNames
member: <dn of user 1>
member: <dn of user 2>
# slapd.conf ACL
access to *
by self write
by group="cn=superusers,ou=acl,dc=example,dc=com" write
by * read
Corey
signature.asc
Description: This is a digitally signed message part
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
