Re: [SLUG] LDAP config help sought (long post)

Sun, 17 Jul 2005 02:00:27 -0700 

Howard Lowndes wrote:

<snipped>
My concern, and my reason for originally seeking the hierarchical approach was to limit the level of management access inside the directory, eg. I don't want someone who has write access to domain A being allowed to have read access to domain B, or even knowing that domain B exists.
Fundamentally, Address Directory like OpenLDAP is hierchical(inverted tree structured). Can't be otherwise.
When I work on OpenLDAP I start with a tree (hierchical) and graphical diagram like so: dn: dc=example,dc=com (can be e.g. dn: dc=slug,dc=org,dc=au or similar) 
                                                           |
----------------------------------------------------------------------------------------------------------------- | | | dn: ou=People,dc=example,dc=com dn: ou=Computers,dc=example,dc=com etc.... 
                           |
------------------------------------------------------------------------------------------------------------------------------------------- | | | dn: uid=joeblue,ou=People,dc=example,dc=com dn: uid=madamblue,ou=People,dc=example,dc=com etc..... 

joeblue can access only his dn and madamblue likewise by combining:
1.     /*User authentication, and Access control list (ACL)*/
E.g.: Check output of
ldapsearch -x -D "uid=joeblue,ou=People,dc=example,dc=com" -w password
ldapsearch -x -D "uid=madamblue,ou=People,dc=example,dc=com" -w password

Output only their respective dn's.

slapd.conf has:
......
rootdn   "cn=Manager,dc=example,dc=com"
rootpw   secret
......
#
access to *
     by self write
     by users none
     by anonymous auth
     by * none

after doing following command:
ldapadd -x -D "cn=Manager,dc=example,dc=com" -w secret -f sample.ldif

where contents of sample.ldif:
# Entry : root organization: dn: dc=example,dc=com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: example
dc: example

# Entry : ou=People,dc=example,dc=com
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

# Entry : uid=joeblue,ou=People,dc=example,dc=com
dn: uid=joeblue,ou=People,dc=example,dc=com
cn: joeblue
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: joeblue
homeDirectory: /home/joeblue
loginShell: /bin/false
gecos: Administrator
uidNumber: 10000
gidNumber: 548
givenName: System
sn: Administrator
shadowExpire: 21914
shadowLastChange: 12944
displayName: System Administrator - Site A
userPassword: password

# Entry : uid=madamblue,ou=People,dc=example,dc=com
dn: uid=madamblue,ou=People,dc=example,dc=com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
homeDirectory: /home/joeblue
loginShell: /bin/false
gecos: Administrator
uidNumber: 10000
gidNumber: 548
givenName: System
sn: Administrator
shadowExpire: 21914
shadowLastChange: 12944
displayName: System Administrator - Site B
userPassword: password

Hope these help.

O Plameras

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Reply via email to