[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem in ACLs



Hi All,
	I am having some problums with ACL in OpenLDAP, What I want to
achive is to grant attribute level access to my Users ie. the userd may
modify some attributes of his/her own entry, but are not allowed to modify
the others, Only Administrator may modify them. I have tried many different
variants of my ACL which is given below. 

	I have been successful in giving full control of users's node
to the user, but not 

limited access.


I am Using OpenLDAP 1.2.11 (stayble).

My Questions are 

1. where am I wrong ?
2. what can I Do to achive the desired results ?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include		/openldap/slapd.at.conf
include		/openldap/slapd.oc.conf
schemacheck	on
pidfile		/ldap-db/slapd.pid
argsfile		/ldap-db/slapd.args
database		ldbm
directory		/ldap-db
suffix		"o=<My Org>, c=<Country>"
rootdn		"cn=root, o=<My Org>, c=<Country>"
rootpw		<password>

access to attr=userpassword 
	by self write
	by dn="cn=root,o=<My Org>,c=<Country>" write 
	by * compare 

access to attrs=mobile, mail, streetAddress 
	by self write
	by dn="cn=root,o=<My Org>,c=<Country>" write 
	by * read 

access to * 
	by * read
	by dn="cn=root,o=<My Org>,c=<Country>" write 

defaultaccess	read

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

my LDIF is as follows . . .

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
dn: o=<My Org>, c=<Country>
objectclass: top
objectclass: organization
o: <My Org>

dn: ou=<Dept. 1>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Dept. 1>

dn: ou=<Dept. 2>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Dept. 2>

dn: ou=<Dept. 3>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Dept. 3>

dn: ou=<Dept. 4>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Dept. 4>

dn: ou=<Sub Dept. 1>, ou=<Dept. 1>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Sub Dept. 1>

dn: ou=<Sub Dept. 2>, ou=<Dept. 1>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Sub Dept. 2>

dn: ou=<Sub Dept. 3>, ou=<Dept. 1>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Sub Dept. 3>

dn: ou=<Sub Dept. 1>, ou=<Dept. 2>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Sub Dept. 1>

dn: ou=<Sub Dept. 2>, ou=<Dept. 2>, o=<My Org>, c=<Country>
objectclass: top
objectclass: organizationalUnit
ou: <Sub Dept. 2>

dn: cn=root, o=<My Org>, c=<Country>
objectclass: top
objectclass: person
objectclass: <org>Person
cn: root
uid: root
userpassword: <password>

dn: cn=<Common Name>, ou=<Sub Dept. 2>, ou=<Dept. 1>, o=<My Org>, c=<Country>
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: newPilotPerson
objectclass: <org>Person
cn: <Common Name>
sn: <Last Name>
fn: <First Name>
title: <Title>
uid: <Unique ID>
userPassword: <Password>
mail: <email Address>
homePhone: <Home Telephone>
telephoneNumber: <Office Telephone Number>
mobile: <Mobile Phone>
streetAddress: <Home Address>
homeCity: <Home City>
homeCountry: <Home Country>
officeAddress: <Office Address>
l: <City>

-- 
Muhammad Bilal Shabbir
mbilal@zdnetmail.com



___________________________________________________________________
To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax,
all in one place - sign up today at http://www.zdnetonebox.com