[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-software
Subject:    Re: overlay unique - multiple suffixes
From:       Andreas Schoe <andi () gfz-potsdam ! de>
Date:       2008-07-31 8:31:38
Message-ID: 4891786A.4030902 () gfz-potsdam ! de
[Download RAW message or body]

Yes,

there are different reasons for this strict distinction. Especially for 
security reasons.

I think I have to choose the same naming context for both suffixes, if I 
would create a meta database and put slapo-unique there.

Is it an alternative? If it is, could I create a meta database with 
different naming contexts?

Aaron Richton schrieb:
> On Tue, 29 Jul 2008, Michael Ströder wrote:
>
>>> I have two suffixes with two bdb backends, in the first suffix you 
>>> find internal and in the second suffix you find external users.
>>
>> You could glue the suffixes together under a common suffix if it does 
>> not violate your security requirements and place slapo-unique there.
>
> Presumably, the two suffix values are known in advance as constants. 
> Therefore it should be fairly trivial to write ACLs along the lines of:
>
> access to dn.subtree="ou=Area1,dc=suffix" [mostlyAllow]
> access to dn.subtree="ou=Area2,dc=suffix" [mostlyAllow]
> access to dn.subtree="dc=suffix" [mostlyDeny]
>
> which should allow slapo-unique to be used (under access internal to 
> slapd) while not granting additional access to the external world.

[prev in list] [next in list] [prev in thread] [next in thread]