... .. . ####################################################################### # Applies to all backends ####################################################################### defaultaccess read access to attr="userpassword" by self write by * compare ####################################################################### # ldbm database definitions ####################################################################### database ldbm - First Database definition. lastmod on suffix "o=CompanyA.com" rootdn "cn=AManager,o=CompanyA.com" rootpw secretwordA directory /var/lib/ldap/CompanyA index sn database ldbm - Second Database definition. lastmod on suffix "o=CompanyB.com" rootdn "cn=BManager,o=CompanyB.com" rootpw secretwordB directory /var/lib/ldap/CompanyB index graduatingYear,sn access to dn=".*,o=CompanyB.com" filter="deptno=dept100" by self write by dn="cn=Admin100,o=CompanyB.com" write - Grant authorization to Admin100 for all in dept100 attribute deptno cis - OpenLDAP V1.2 style attribute and object class definition objectclass bemployee requires sn, cn, graduatingYear, objectclass allows mail, o, l, st, postalcode, c, givenname, deptno, userPassword ... .. .
Note that each database is separate and resides in separate directories. Each has its own rootdn and thus two separate admins and passwords.
Also note that access has been granted to Admin100 to modify (write) information for those in dept100.
dn: o=CompanyB.com objectclass: top objectclass: organization o: CompanyB.com dn: cn=BManager,o=CompanyB.com cn: BManager sn: BManager objectclass: top objectclass: person dn: cn=Admin100,o=CompanyB.com cn: Admin100 sn: Admin100 objectclass: top objectclass: person userPassword: admin100secret dn: cn=Albert Abama,o=CompanyB.com cn: Albert Abama sn: Abama objectclass: top objectclass: person objectclass: bemployee mail: albert@CompanyB.com l: Dallas st: TX postalCode: 76111 c: US deptno: dept100 dn: cn=Mary Bama,o=CompanyB.com cn: Mary Bama sn: Bama objectclass: top objectclass: person objectclass: bemployee mail: Mary@CompanyB.com l: Dallas st: TX postalCode: 76111 c: US deptno: dept200
ldapadd -cv -D "cn=AManager,o=CompanyA.com" -W < companya.ldif
ldapadd -cv -D "cn=BManager,o=CompanyB.com" -W < companyb.ldif
Test it: ldapsearch -v -L -b "o=CompanyB.com" "objectclass=*"
This shows access to attribute userpassword by self write:
ldapsearch -v -L -D "cn=Admin100,o=CompanyB.com" -b "o=CompanyB.com" "objectclass=*" -W
This shows no password because it is not authenticated as an authorized person who can view passwords:
ldapsearch -v -L -b "o=CompanyB.com" "cn=Admin100"
This Fails: AManager does not have authority to modify entry in CompanyB.com
database.
ldapmodify -v -D "cn=AManager,o=CompanyA.com" -h localhost -W -f entrymods100
This is successful:
ldapmodify -v -D "cn=BManager,o=CompanyB.com" -h localhost -W -f entrymods100
This is also successful:
ldapmodify -v -D "cn=Admin100,o=CompanyB.com" -h localhost -W -f entrymods100
File entrymods100:
dn: cn=Albert Abama,o=CompanyB.com changetype: modify replace: mail mail: albet@MegaMail.com
This fails:
ldapmodify -v -D "cn=Admin100,o=CompanyB.com" -h localhost -W -f entrymods200
File entrymods200:
dn: cn=Mary Bama,o=CompanyB.com changetype: modify replace: mail mail: mary@MegaMail.com
"Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good, ISBN 0672323168, Addison-Wesley Pub Co Second edition. It is general in nature but complete in that it covers all concepts in depth. It is a good book for those wanting to understand everything about LDAP, schema development and its' capabilities. |
|
|
"Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good, ISBN 1-57870-070-1, MacMillan Technical Publishing First edition out of print. (Used only) See second edition above. This is the largest LDAP book I own. It is general in nature but complete in that it covers all concepts in depth. It is NOT a good programmers reference but it is good for those wanting to understand everything about LDAP, schema development and its' capabilities. Netscape centric. |
|
|
"Programming Directory-Enabled Applications with Lightweight Directory
Access Protocol"
by Timothy A. Howes,Phd and Mark C. Smith ISBN 1-57870-000-0, MacMillan Technical Publishing Excellent programmers reference for those using the LDAP C language API. Also covers search filters and LDAP URL's. The OpenLDAP source code is so poorly commented that I found this book often was the only source for an explanation of what was happening in the code. |
|
|
"Implementing LDAP",
Mark Wilcok ISBN 1-861002-21-1, WROK Press This book covers all aspects of LDAP from LDIF to the LDAP SDK in C, PERL and JAVA. It has a strong Netscape Directory server bias. |
|
|
"LDAP System Administration",
Gerald Carter ISBN 1565924916, O'Reilly & Associates This book covers the use of OpenLDAP and the integration of services. |
|
|
"LDAP Programming, Management and Integration",
Clayton Donley ISBN 1930110405, Manning Publications; 1st edition This book covers LDAP administration as well as introductory information. It covers the directory services markup language (DSML), PERL LDAP module as well as JAVA JNDI. |
|
|
"Understanding LDAP - Design and Implementation" - IBM-Redbooks
Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman IBM Redbook #SG24-4986-00 A reference to ldap, available as PDF as well. This book has a bias towards IBM's E-network LDAP Directory server. Tight, terse, but covers everything. |
||
"LDAP Implementation and Practical Use"
IBM Redbook #SG24-6193-00 |
Return to YoLinux LDAP Tutorial