[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-software
Subject: Re: overlay unique - multiple suffixes
From: Andreas Schoe <andi () gfz-potsdam ! de>
Date: 2008-07-31 8:31:38
Message-ID: 4891786A.4030902 () gfz-potsdam ! de
[Download RAW message or body]
Yes,
there are different reasons for this strict distinction. Especially for
security reasons.
I think I have to choose the same naming context for both suffixes, if I
would create a meta database and put slapo-unique there.
Is it an alternative? If it is, could I create a meta database with
different naming contexts?
Aaron Richton schrieb:
> On Tue, 29 Jul 2008, Michael Ströder wrote:
>
>>> I have two suffixes with two bdb backends, in the first suffix you
>>> find internal and in the second suffix you find external users.
>>
>> You could glue the suffixes together under a common suffix if it does
>> not violate your security requirements and place slapo-unique there.
>
> Presumably, the two suffix values are known in advance as constants.
> Therefore it should be fairly trivial to write ACLs along the lines of:
>
> access to dn.subtree="ou=Area1,dc=suffix" [mostlyAllow]
> access to dn.subtree="ou=Area2,dc=suffix" [mostlyAllow]
> access to dn.subtree="dc=suffix" [mostlyDeny]
>
> which should allow slapo-unique to be used (under access internal to
> slapd) while not granting additional access to the external world.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic