[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access control question
"sheujun" wrote...:
> I want define the Acl like this:
> 1.the child node can read other node on level in same group
access to dn="cn=[^,]+,ou=([^,]+),dc=com"
by dn="cn=*,ou=$1,dc=com" read
by * none
> 2.father node can write it's own children
access to dn=".*cn=([^,]+),ou=([^,]+),dc=com"
by dn="cn=$1,ou=$2,dc=com" write
by * none
> 3.child node can read it's own father node
access to dn="cn=([^,]+),ou=([^,]+),dc=com"
by dn="[^,]+,cn=$1,ou=$2,dc=com" read
by * none
> 4.every node can write itself
access to *
by self write
by * none
note:
1) this ACLs are considered to work "stand alone", so you'll have to
figure out yourself how to combine them..
2) i haven't tried any of these, so they might be buggy or not work at
all.. trial and error may be a good way in this case.. :o)
3) remind that ACLs are processed from top to bottom, and slapd quits
ACL parsing as soon as one of the clauses matches both "to" and "by"
conditions
4) the ACLs are designed to work on just one level, to get them to work
with children at deeper levels, you'll have to "generalize" the dn's a
bit..
5) the ACLs are definitively not design to work "as is", you _will_ have
to do significant rework..
AFAIR there are also some interesting discussions in the archive of this
list.
http://www.openldap.org/lists/openldap-software/
hth,
daniel