[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: multiple admins and access rights
"Kurt D. Zeilenga" wrote:
>
> At 12:26 PM 4/14/00 +0200, Kai Martius wrote:
> >Hello,
> >
> >First, thanks to the developers for the great job done with OpenLDAP!
> >
> >Here's my question:
> >Is it possible within the current access control model to have something
> >like "shared administration", that is, I want to grant the right to
> >create new entries with a specific set of attributes to Admin1. Admin2
> >should be able to modify these entries by adding / modifying other
> >attributes, but neither to modify the entries written by Admin1 nor to
> >delete the entry itself. I tried it with the following access rules
> >(that didn't work :-( ).
> >
> >Admin2 should have the right to add / modify a postaladdress, but
> >nothing else. Admin1 therefore should be able to create the entry and
> >write cn, ou, o and c attributes:
> >
> >defaultaccess read
> >access to * attrs=dn,cn,ou,o,c
> > by dn="cn=Admin1,o=myorg,c=de" write
> > by * read
> >
> >access to * attr=postaladdress
> > by dn="cn=Admin2,o=myorg,c=de" write
> > by * read
> >
> >Did I miss something important here?
>
> Permission to write to the entry.
>
> access to * attrs=entry
> by dn="cn=Admin?,o=myorg,c=de" write
> by * read
I'm struggling with the same type of problem as Kai. I found using the
following did not work in my environment:
access to *
by dn="uid=admin?,ou=People,o=regence" write
by self write
by * read
I tried the following with success.
access to *
by dn="uid=admin[0-9],ou=People,o=regence" write
by self write
by * read
Does anyone have any suggestions as to why the "?" fails? Both "admin?"
and "admin[0-9]" appear to be valid regular expressions.
--
Rick Fadler
rfadler@keystroke.com
206-576-4579