[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problem in ACLs
Hi All,
I am having some problums with ACL in OpenLDAP, What I want to
achive is to grant attribute level access to my Users ie. the userd may
modify some attributes of his/her own entry, but are not allowed to modify
the others, Only Administrator may modify them. I have tried many different
variants of my ACL which is given below.
I have been successful in giving full control of users's node
to the user, but not
limited access.
I am Using OpenLDAP 1.2.11 (stayble).
My Questions are
1. where am I wrong ?
2. what can I Do to achive the desired results ?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include /openldap/slapd.at.conf
include /openldap/slapd.oc.conf
schemacheck on
pidfile /ldap-db/slapd.pid
argsfile /ldap-db/slapd.args
database ldbm
directory /ldap-db
suffix "o=<My Org>, c=<Country>"
rootdn "cn=root, o=<My Org>, c=<Country>"
rootpw <password>
access to attr=userpassword
by self write
by dn="cn=root,o=<My Org>,c=<Country>" write
by * compare
access to attrs=mobile, mail, streetAddress
by self write
by dn="cn=root,o=<My Org>,c=<Country>" write
by * read
access to *
by * read
by dn="cn=root,o=<My Org>,c=<Country>" write
defaultaccess read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
my LDIF is as follows . . .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
dn: o=<My Org>, c=<Country>
objectclass: top
objectclass: organization
o: <My Org>
dn: ou=<Dept. 1>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Dept. 1>
dn: ou=<Dept. 2>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Dept. 2>
dn: ou=<Dept. 3>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Dept. 3>
dn: ou=<Dept. 4>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Dept. 4>
dn: ou=<Sub Dept. 1>, ou=<Dept. 1>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Sub Dept. 1>
dn: ou=<Sub Dept. 2>, ou=<Dept. 1>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Sub Dept. 2>
dn: ou=<Sub Dept. 3>, ou=<Dept. 1>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Sub Dept. 3>
dn: ou=<Sub Dept. 1>, ou=<Dept. 2>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Sub Dept. 1>
dn: ou=<Sub Dept. 2>, ou=<Dept. 2>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Sub Dept. 2>
dn: cn=root, o=<My Org>, c=<Country>
objectclass: top
objectclass: person
objectclass: <org>Person
cn: root
uid: root
userpassword: <password>
dn: cn=<Common Name>, ou=<Sub Dept. 2>, ou=<Dept. 1>, o=<My Org>, c=<Country>
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: newPilotPerson
objectclass: <org>Person
cn: <Common Name>
sn: <Last Name>
fn: <First Name>
title: <Title>
uid: <Unique ID>
userPassword: <Password>
mail: <email Address>
homePhone: <Home Telephone>
telephoneNumber: <Office Telephone Number>
mobile: <Mobile Phone>
streetAddress: <Home Address>
homeCity: <Home City>
homeCountry: <Home Country>
officeAddress: <Office Address>
l: <City>
--
Muhammad Bilal Shabbir
mbilal@zdnetmail.com
___________________________________________________________________
To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax,
all in one place - sign up today at http://www.zdnetonebox.com