With this rule any user can read all role entries for his branch. This doesn't seem to work at all, so I tried to add a general rule to access the role entries: olcAccess: to dn.regex="ou=Roles,dc=(+),dc=customers,dc=domain,dc=de$" group.expand="cn=Administrators,ou=Roles,dc=$1,dc=customers,dc=domain,dc=de" writeīy group.expand="cn=ProductionUser,ou=Roles,dc=$1,dc=customers,dc=domain,dc=de" readīy group.expand="cn=TestUser,ou=Roles,dc=$1,dc=customers,dc=domain,dc=de" read This rule is similiar to the one at the end of the openldap documentation, chapter 8.3.5. I tried to give those users the read permission for all member-attributes where their dn is entered with the following rule: olcAccess: to attrs=member,entry If I try to fetch operational attributes within Apache Directory Studio using a local administrator or a simple user no operational attribute will be displayed/fetched. Unfortunately only the "global" administrator is able to see operational attributes.
Create an entry point type using the following parameters. Under the schema can create new attributes and object for those. Open the connection Right click on schema pane and create new schema with unique name(ex. Choose offline/online and give project name. To create an entry point of the inclusion type, right-click Inclusion Endpoint from the Class Hierarchy pane and select Extend. Right click in project pane and create new schema project.
For that I wanted to use the operational attribute memberOf which is supported by openldap. To create a standard entry point, right-click Endpoint from the Class Hierarchy pane and select Add Child Class. So far so good everything works.Īdditional I need to know to which groups a user belongs. One requirement for the user permissions is, that a user can read its own entry, a local administrator can read all user entries in his branch and a "global" admin can read all user entries. For checking the permissions and to see if all works like expected I use the Apache Directory Studio. For defining user permissions I use a ldif file. Screenshot: Generating an LDIF export of a user in Apache Directory Studio. I'm configuring at the moment a openldap server. Highlight the user or group in Apache Directory Studio.
0 kommentar(er)
