[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access control help
--Le samedi 16 juin 2001 20:07 +0200 pe7@gmx.de disait:
hello
i want to get following: the ldap data is structured in this way:
root
cn=user1
adress0
adress1
adress2
...
cn=user2
adress0
adress1
adress2
...
cn=user3
...
my current configuration is:
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=Admin,dc=orderrace,dc=com" write
by * none
access to *
by users write
but the problem is, that each user is able to read and write also other
subtrees. is it possible to set up sldap.conf in the way that each user
can read and write only within its own subtree ? it were good if i hadnt
to write a access rule for every users because than i had to restart the
ldap after each user-change. could someone plases give me an example how
i could set the access right ? i have made a lot of trials but didnt
succeed and also couldnt find help within the list archive.
I haven't tried it, but inspired by <http://www.openldap.org/faq/data/cache/451.html> and <http://www.openldap.org/faq/data/cache/452.html> I suggest something like:
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=Admin,dc=orderrace,dc=com" write
by * none
access to dn.regex=".*,cn=(.*),dc=orderrace,dc=com"
by dn.regex=".*,cn=$1,dc=orderrace,dc=com" write
by * none
This should give anyone in a subtree write access to all entries in that subtree (except to the userPassword attribute of those entries, to which it
has no access at all (except to its own, to which it has write access)).
I'd be interested to know if it works!
----
David Olivier
David.Olivier@univ-lyon2.fr
Les Cahiers antispécistes: http://www.cahiers-antispecistes.org/
Les canards et les pigeons,
les porcs et les agneaux
mettent leurs gouttes de sang
sous les multiplications;
et les terribles hurlement des vaches étripées
emplissent de douleur la vallée
où l'Hudson s'enivre d'huile.
Federico Garcia Lorca
----
Visite un abattoir !
http://vegetariensplessis.online.fr/temoignage.html