[Date Prev][Date Next] [Chronological] [Thread] [Top]

Complex access control lists



Let's say I have a branch in my LDAP tree named
"ou=Aliases,dc=mvista,dc=com". Below that are email alias entries that
follow rfc2307 (as created by PADL's MigrationTools). Let's say a member
of a mailing list is under the attribute "rfc822MailMember". Let's also
say that there is an "rfc822MailMember: tomas" entry for dn
"cn:users,ou=Aliases,dc=mvista,dc=com". If there was a dn of
"uid=tomas,ou=People,dc=mvista,dc=com", with "uid=tomas", and I could
either bind with that above dn (uid=tomas,ou=People,dc=mvista,dc=com),
or via SASL/GSSAPI (in which the binding dn would be either "uid=tomas"
or "uid=tomas@MVISTA.COM"; not quite sure which), then with what acl
directive could I use so that I can remove myself from that mailing list
I am an rfc822MailMember of?

Also, I'm not quite sure how "dnattr" works. Could I, for the above
situation, use:

access to dn=".+,ou=Aliases,dc=mvista,dc=com" attrs=rfc822MailMember
	by dnattr=rfc822MailMember	selfwrite
	by *				read

>From the Admin Guide I read, it seems to match rfc822MailMember (in the
above directive) with what dn I am bound as. If I bind as
"dn:uid=tomas,ou=People,dc=mvista,dc=com", then do I need to have set
"rfc822MailMember: uid=tomas,ou=People,dc=mvista,dc=com"? Or is it
something else?

Also, let's say there is an entry "rfc822MailMember:
tomas@earthlink.net". If I bind as "uid=tomas", "uid=tomas@MVISTA.COM",
or "uid=tomas,ou=People,dc=mvista,dc=com", then with what access
directive can I remove myself if I have the above entry?

If I have only one attribute I want to grant access to, would I use the
"attrs=" qualifier in the access directive, or "attr="?

Thanks a bunch.

--
Tomas Maly
"IT Freak"
MontaVista Software
(408) 328-8429
tmaly@mvista.com