[nycphp-talk] Restricting page and record access with LDAP

Randal Rust randalrust at
Tue Jan 9 10:13:31 EST 2007

In the LDAP system that I am working on, we have a deliverable in the
statement of work that says, "Convert existing iPlanet access controls
to OpenLDAP access controls." I am sort of assuming that this refers
to Access Control Lists, but I am not 100% sure (I am flying solo on
this because the LDAP developer left the company and they have not
replaced him).

Not knowing anything about ACLs, I can only refer to my experience
with other PHP/MySQL applications that I have built, where we create
user groups and grant permissions based on the group the user is
assigned to.

>From what I have been able to gather during reading, it's not going to
be as simple as taking the ACL from iPlanet and moving it over to
OpenLDAP (which is what I'm sure my bosses and the client probably

I can see in the slapd.conf file that I have how the ACL is set up for
the root user that we have. But here is what I am looking for:

1. How do I setup permissions for a user when I first add them to the
system? When a person is added, they are assigned to an organization,
which is part of their DN. A user should be able to modify the data
for the organization they are assigned to, along with any child

2. There is a object in the directory called "ldapaccess." It has an
attribute called "uniqueMember" that contains a list of all of the
authorized users. When someone logs in, I can check their
username/password against the record where that is stored, but I don't
quite see how this ldapaccess thing comes into play.

Randal Rust

More information about the talk mailing list