OpenLDAP Faq-O-Matic: How do I allow entry creation?

OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Access Control : How do I allow entry creation?

Let's say, you have it like this:

    o=<basedn>
        ou=domains
            associatedDomain=<somedomain>
                ou=users
                    uid=<someuserid>            
                    uid=<someotheruserid>
                ou=adressbooks
                    uid=<someuserid>
                        cn=<someone>
                        cn=<someoneelse>

and, for another domain <someotherdomain>:

    o=<basedn>
        ou=domains
            associatedDomain=<someotherdomain>
                ou=users
                    uid=<someuserid>            
                    uid=<someotheruserid>
                ou=adressbooks
                    uid=<someotheruserid>
                        cn=<someone>
                        cn=<someoneelse>

then, if you wanted user "uid=<someuserid>" to ONLY create an entry for it's own thing, I'd write an ACL like this:

# this rule lets users of "associatedDomain=<matcheddomain>"
# write under "ou=adressbook,associatedDomain=<matcheddomain>,ou=domains,o=<basedn>",
# i.e. a user can write ANY entry below its domain's address book;
# this permission is necessary, but not sufficient, the next 
# will restrict this permission further
access to dn.regex="^ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$" attrs=children
        by dn.regex="^uid=([^,]+),ou=users,associatedDomain=$1,ou=domains,o=<basedn>$$" write
        by * none
# Note that above the "by" clause needs a "regex" style to make sure
# it expands to a DN that starts with a "uid=<someuserid>" pattern
# while substituting the associatedDomain submatch from the "what" clause.

# This rule lets a user with "uid=<matcheduid>" of "<associatedDomain=matcheddomain>"
# write (i.e. add, modify, delete) the entry whose DN is exactly
# "uid=<matcheduid>,ou=addressbook,associatedDomain=<matcheddomain>,ou=domains,o=<basedn>"
# and ANY entry as subtree of it
access to dn.regex="^(.+,)?uid=([^,]+),ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$"
        by dn.exact,expand="uid=$2,ou=users,associatedDomain=$3,ou=domains,o=<basedn>" write
        by * none 
# Note that above the "by" clause uses the "exact" style with the "expand"
# modifier because now the whole pattern can be rebuilt by means of the
# submatches from the "what" clause, so a "regex" compilation and evaluation
# is no longer required.

tarjei@nu.no, ando@sys-net.it

[Append to This Answer]

Previous:	How do I allow a user write to all entries below theirs?
Next:	How do I give modify/delete permissions to an entry's creator only?

This document is: http://www.openldap.org/faq/index.cgi?file=950

	[Search]	[Appearance]
This is a Faq-O-Matic 2.721.test.