[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Question about OpenLDAP Setup docu

Good evening all,

my name is Jan Braun.  I am just fiddling with my DEBIAN system at home, 
specially with LDAP.  Therefore I was reading 


and struggled about this paragraph:
> Access controls for subtree-specific LDAP Admins
> If you choose to use LDAP for many functions, such as having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin (dn="cn=admin, dc=example, dc=com). The following example is useful when using a separate authentication tree which includes Samba.
>  # The manager dn has full write access to the auth subtree
>  # Everyone else has read access to not otherwise protected fields and entries
>  access to dn.sub="ou=auth,dc=example,dc=com"
>          by dn="cn=Manager,ou=auth,dc=example,dc=com" write
>          by * read

as far as I have understood this theme, there should be a correction and 
addition.  First, the global admin is dn="cn=admin,dc,example,dc=net"  
(There should be an '"' at the end of the DN.)  I am convinced, that the 
second line of the config example should also use this DN.  Hence, it 
should be

  by dn="cn=admin,ou=auth,dc=example,dc=com" write

If I am correct in that assumption, there should be a second ACL for the 
extra administrative user.  Something like this:

  by dn="cn=auth-admin,ou=auth,dc=example,dc=com" write

(I got myself an account for wiki.debian.org and can meanwhile change this.
I was not sure, if that would be the correct and kind way to do so.  I 
missed a discussion button, as I experienced it on wikipedia.)


  Dipl.-Ing. Jan Braun            Leiter IT-Cluster
  Rechenzentrum                   <Braun@rz.tu-clausthal.de>
  TU Clausthal                    http://www.rz.tu-clausthal.de/
  Erzstraße 51                    Tel.: 0 53 23 / 72-22 50
  38678 Clausthal-Zellerfeld      Fax.: 0 53 23 / 72-35 36
=== ypchsh /usr/local/bin/emacs :-)  (-: ``Go FORTH now and create ...'' ===

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: