[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authentication problem
> Lets say I got a user called "fred". fred has got an administrative role
> in my department and i want him to be able to change data and group
> settings of one group (his department) and of all users who are members of
> this group (but not of any other user).
> The problem is, though it is easily accomplished to have a group being
> able to access a certain subtree (by using the "access to ... by
> group=..."), I am not able to define an ACL like:
>
> access to group=... by ...
marc, look at this (from "OpenLDAP 2.0 Adminstrator's guide", but works
similar for openldap 1.2.X):
<access directive> ::= access to <what>
[by <who> <access> <control>]+
<what> ::= * | [ dn[.<target style>]=<regex>]
[filter=<ldapfilter>] [attrs=<attrlist>]
(- cut -)
he <what> part of an access specification determines the entries and
attributes to which the access control applies. Entries can be selected in
two ways: by a regular expression matching the entry's distinguished name:
dn=<regular expression>
Or, entries may be selected by a filter matching some attribute(s) in the
entry:
filter=<ldap filter>
where <ldap filter> is a string representation of an LDAP search filter, as
described in RFC2254.
(- cut -)
should work...
see: http://www.openldap.org/doc/admin/slapdconfig.html for further
information
regards
daniel
--
Daniel Tiefnig
Servertechnology
INFONOVA IT GmbH