[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Implementation advice

To: John Blakeley <john.blakeley@mon.bbc.co.uk>
Subject: Re: Implementation advice
From: Pierangelo Masarati <pmasarati@bci.it>
Date: Tue, 29 May 2001 14:23:46 +0200
Cc: OpenLDAP-software <OpenLDAP-software@OpenLDAP.org>
Organization: SysNet
References: <Pine.LNX.4.21.0105290900320.16170-100000@localhost.localdomain>

John Blakeley wrote:

> Hi
>
> So far, I have a 3-branch ldap tree, ou=People, ou=Groups (which
> contains "Admin") and ou=DataDef.
>
> I need users to add/edit/delete their own 'DataDef' entries, but not see
> anyone else's, unless they are 'Admin'.
>
> Is there anyway to implement this, assuming I implement an attribute that
> contains the users dn in the 'DataDef'. An example acl would be greatly
> appreciated.

access to dn="[^,]+,ou=DataDef,<your suffix>"
    by dnattr=owner write
    by dn.exact="cn=Admin,ou=Groups,<your suffix>" read
    by * none

the entries with dn="([^,]+),ou=DataDef,<your suffix>"
must have a "owner" attribute which must be set to the
dn of the person that is allowed to modify them.

I hope this is what you mean.

Pierangelo.

--
Dr. Pierangelo Masarati    mailto:ando@sys-net.it
Developer, SysNet s.n.c.   http://www.sys-net.it

References:
- Implementation advice
  - From: John Blakeley <john.blakeley@mon.bbc.co.uk>

Prev by Date: Re: Back-ldap and Proxy
Next by Date: LDAP and WinNT Authentication
Index(es):
- Chronological
- Thread