[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Advanced ACL configuration?
Quoting Daniel Tiefnig <openldap@qmail.infonova.at> [04 Jul-01 10:04]:
> <stefan@alfredsson.org> wrote...
> > I'm wondering if ACL's can be built by using information in the LDAP
> > database itself?
> >
> > For example, if user X is authenticated and has an attribute
> > (for example) canModify: uid=y, o=foobar
> >
> > then this user would have write access to the DN's listed?
> >
> a similar discussion was in the mailing list some time ago:
> <quote Howard Chu from Sat, 12 May 2001 19:57:41 -0700>
>
> access to *
> by selfattr=account write
selfattr seemed to be excluded in my version (2.0.7), but the
other variant by using set=... seems to work.
Going over the documentation once again I found that dnattr might
work as well; Instead of defining in the "owner" object what subjects
it can modify, define the owner in the subject.
I.e. instead of saying "account X can write a,b,c", we say that
"a can be written by X, b can be written by X, c ...."
Or have I misunderstood the functionality of dnattr?
> have a look at the list archive, (especially the above mentioned thread)
> there were some discussions about advanced ACLs, and some of them were
> pretty good.
Yes, thanks for the advice. Strange that I did not find it when I
searched for it earlier (before posting the question :)
Regards,
Stefan