[Date Prev][Date Next] [Chronological] [Thread] [Top]

Complex permissions for OpenLDAP

To: openldap-software@OpenLDAP.org
Subject: Complex permissions for OpenLDAP
From: Mike Eheler <meheler@searchbc.com>
Date: Thu, 09 Aug 2001 09:27:13 -0700
Organization: Search BC
References: <Pine.GSO.4.05.10108091202130.1270-100000@mailserver2.xpedite.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.3) Gecko/20010801

Basically I'm trying to restrict/enable userPassword access, and am failing miserably.

Say I have this structure

cn=SubUser,uid=User,ou=People,o=ExampleCompany,c=CA

If I'm logged in as uid=User,ou=People,... I want to be able to edit/view the userPassword for cn=SubUser, and justly have it work heirarchily.. let's pretend that I could log in as ou=People I would want to be able to view/edit passwords for everyone below me (including myself).

There are hundreds of entries at the uid level, and none of them should be able to view/edit the userPassword of the user that is below me, except me, and only when I'm bound with that authentication.

Make sense? So far I'm able to give full read/write access to everyone except anonymous, or hide it altogether from everyone, except the logged in user (meaning I'd have to bind as cn=SubUser in order to view/edit the password).

Well, that was a mouthful, and I hope it makes sense to someone. Any help on this matter is *greatly* appreciated.

Mike Eheler

References:
- openldap performance numbers vs NS
  - From: Archive User <archive@xpedite.com>

Prev by Date: openldap performance numbers vs NS
Next by Date: Re: openldap performance numbers vs NS
Index(es):
- Chronological
- Thread