[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access rights/adding new people



  I am currently developing a Kontakt/personel management software based on
LDAP and I have run across the following problem.

  Our access configuration allows only read access and write access to
certain attributes as well as whole entries as you can see in the included
part of the config file:

-----------------------------------------------------------
# By default, only read access is allowed
defaultaccess   read

access to * by self write

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attribute=userPassword
        by dn="uid=root,o=BIBA,c=DE" write
        by self write
        by dn="^$" none
        by * none

# The admin dn has full write access
access to * by dn="uid=root,o=BIBA,c=DE" write

# Department access
access to dn=".*,ou=PPC,o=BIBA,c=DE"
        by dnattr=ou write

# Access for manager users
access to dn=".*,ou=.*,o=BIBA,c=DE"
        by dnattr=manager write

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
access to dn=".*,ou=Roaming,o=BIBA,c=DE"
        by dnattr=owner write
-----------------------------------------------------------

  My problem is that this config does not allow users to add *new* entries
i.e. a secretary adding a new contact.

  The only way I can think of to allow tis is by setting the default access
to "write" and then restricting use of all the attributes.

  Does anyone have a good idea on this one ?

-- 
 I've been asked if vi was an easy editor to learn, whether it was intuitive
or not. My general response to this question is: "Yes, some of us think so.
		But most people think that we are crazy."