hi,this problem has puzzle me many days.
i hava set the aci in ldap that a entry (eg:ou=teachers,o=university) only be view by the entry(ou=admins,o=university),
but i don't know how to implement it,
could you plese tell me how to binding the viewer's identify when he/she search? thanks very much.
If you look under the articles section of this site (under the php main category) there are two articles that talk about php. Other than that, you may want to purchase the O'Reilly book. I'm tinkering with LDAP myself and don't have a specific answer to your question. Sorry.
Hi Arkang -
I am not sure where you are looking for help - whether it is setting the aci or testing the aci once it is set ...
First, either you dit isn't set up correctly - or you mistyped your intentions on the aci. The way the aci works is by allowing the entry to access something in the directory - either a branch point in the dit - or an entry specifically.
In your example you are saying that only the entry ou-admins,o=university can view the teachers ou. In reality you wouldn't have a password associated with an ou - so binding as that entry would most likely not be possible.
What you may consider doing is creating a group with all your administrators present - then allowing that group to view the ou with teachers in it.
Then you would add the aci to the ou=teachers,o=university entry - assigning the search capability to the admin group. Alternatively you could do it by assigning the right to search to each individual user - like uid=admin,ou=admins,o=university.
Then at that point you can test using ldapsearch by specifying your bind dn as uid=admin,ou=admins,o=university (or any member of the admins group if you create one and set the aci that way) and searching the ou=teachers,o=university branch.
I hope this helps in some way. If I am off base on what you are looking for - just post again and I'll try to help. It might be helpful to know which brand and version of directory server you are using as well ...
HTH
-Chris
thanks ldap4u and colpaarm,
to ldap4u
my realy question is:
the all people of the university were stored in different directory by different department(eg ou=dept1,o=university ... ou=dept2,o=university),and we have different application were stored in ldap too(eg dc=app1,o=university ... dc=app2,o=university),
how can i controle if a user who belong to dept1 logon success,she/he only can view dc=app1,but can't view dc=app2
Hi arkang,
So merely denying access to the information that is stored in the directory for the application may not be enough to ensure you get the results you need - you may need to further investigate the capabilities of your application to ensure it understands how to parse either ACI's in LDAP or to ensure it can process LDAP groups.
From a directory only perspective - you will need to set an aci at the application branch of the directory structure to allow access to only those who should have it. For instance you may want to set an aci on dc=app1,o=university (by the way this is a very odd dit structure) that allows access to only those users in ou=dept1,o=university. You have several ways to accomplish this - the most popularly used method would be to create a group (ideally a dynamic group) consisting of all the users that would have access to this branch point (dc=dept1,o=university). You may also be able to specify the list of people who should have acccess by using a wildcard in your aci statement - something like ldap:///*,ou=dept1,o=university ...