Menu
▾
▴
Re: proxy
|
From: Chris R. <chr...@me...> - 2000-11-30 08:52:13
|
Bing Du <Bi...@ci...> wrote: > I apologize if what I said is sort of off topic. I appreciate it if > somebody can point me to the right direction. > > Does anybody have any experience with implementing proxy in LDAP? > Specifically, here is what I want to accomplish: > > Assume there are two entries in the directory server like this: > > =================== > entry1: > > dn: cn=owner1, ou=xxx, dc=xxx, dc=xxx > name: owner1 > phonenumber: xxx > proxy: owner2 > > entry2: > > dn: cn=owner2, ou=xxx, dc=xxx, dc=xxx > name: owner2 > phonenumber: xxx > =================== > > As you can see, 'owner1' assigns 'owner2' as his proxy. So besides DSA > manager, only owner2 is able to modify owner1's entry. > > So far I have no idea where to start. Is this an ACL related issue? Yes, it's an access control issue. In the general case (allowing the proxy entry and the target entry to be anywhere in the DIT) you will need to add entryACI (an operational attribute with an ASN.1 (ie not text) syntax) to every entry with a proxy. If you keep all the entries maintained by one proxy in the same subtree (exclusively) then you would want to use prescriptiveACI (ACI which applies to all entries in a subtree.) Constructing the ACI values is not a huge problem if you can use Convert::ASN1 and know what the ACIitem syntax is (hint: read the manual!) This will technically work, but would cause a big management overhead especially if using the entryACI scheme. (eg how do you change the overall policy defining what the proxies are allowed to do to the entry?) You may want to carefully consider what you are trying to achieve here. Cheers, Chris |
