[Date Prev][Date Next] [Chronological] [Thread] [Top]

help needed in setting acl



hi
I need some help in setting my ACL.
My dir hierarchy is

one organization
multiple organizationalUnit(s) underneath the organization
multile account(s) underneath each organizationalUnit.
multiple person(s) underneath each account.
 
account has uid & userPassword. Each person has a owner which is a dn to
the account that created it.

(1) One can bind ONLY to the account

(2) Each account can create, modify, delete person  object underneath
itself. Each account can read person info of other accounts.

Somewhere I read about giving access to parent (maybe ldapv3?). I need
something like that or better still ability to grant add entry and 
write access to each account. Any idea how I could do that? While the
below acl doesn't work, I though you could comment on it too.


# Access to the root organization
access to dn="o=IISc,c=IN"
    by dn="cn=root,o=IISc,c=IN" write
    by * read

# Access to organizationalUnits like CS, EE, ECE
access to dn=".*,o=IISc,c=IN" filter='objectclass=organizationalUnit'
    by dn="cn=root,o=IISc,c=IN" write
    by dn=".*,o=IISc,c=IN" read
    by * none

# Access to userPassword in account
access to dn=".*,o=IISc,c=IN" filter='objectclass=account'
attr=userPassword
    by self write
    by dn="cn=root,o=IISc,c=IN" write
    by * compare

# Netscape needs mail attribute to login (will it work?)
access to dn=".*,o=IISc,c=IN" filter='objectclass=account' attr=mail
    by self write
    by dn="cn=root,o=IISc,c=IN" write
    by dn=".*,o=IISc,c=IN" read
    by * compare

# Access to account
access to dn=".*,o=IISc,c=IN" filter='objectclass=account'
    by self write
    by dn="cn=root,o=IISc,c=IN" write
    by dn=".*,o=IISc,c=IN" read
    by * none

# Access to person under each account (by the use of owner dn)
access to dn=".*,o=IISc,c=IN" filter='objectclass=person'
    by dnattr=owner selfwrite
    by dn="cn=root,o=IISc,c=IN" write
    by dn=".*,o=IISc,c=IN" read
    by * none

access to * by * none