[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL for owner of subtree

To: openldap-software@OpenLDAP.org
Subject: ACL for owner of subtree
From: Marc Tardif <marc@sitepak.com>
Date: Tue, 12 Jun 2001 18:15:48 -0400

Assuming a directory that looks something like:

o=foo
  ou=people
    uid=aaa
    uid=bbb
    ...
  ou=groups
  ou=services

In "o=foo", I have the "owner" attribute which contains the dn
"uid=aaa,ou=people,o=foo".

In slapd.conf, I have the following ACL's:
access to *
	by dnattr=owner write
	by self write
	by * read

With the above configuration, uid "aaa" can modify * in "o=foo" and in
"uid=aaa,ou=people,o=foo". As for uid "bbb", he can only modify * in
"uid=bbb,ou=people,o=foo". This is all good.

The problem is that I would also like uid "aaa" to have the permission
to modify "uid=bbb,ou=people,o=foo" and all other uid's under
"ou=people,o=foo". This should be done with the following
considerations:

1. The entry "uid=bbb,ou=people,o=foo" should not have to contain the
attribute owner with the "aaa" dn.
2. The ACL should not contain anything specific to "aaa" or "bbb". For
instance, the following would work but would require changing everytime
a user is added or removed:
access to *
	by dn="uid=bbb,ou=people,o=foo" write
	by dnattr=owner write
	by self write
	by * read

Thanks,
Marc - Sitepak

Prev by Date: Re: why is adding records slow?
Next by Date: Re: why is adding records slow?
Index(es):
- Chronological
- Thread