[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control question



"sheujun" wrote...:

> I want define the Acl like this:
> 1.the child node can read other node on level  in same group

access to dn="cn=[^,]+,ou=([^,]+),dc=com"
	by dn="cn=*,ou=$1,dc=com" read
	by * none

> 2.father node can write it's own children

access to dn=".*cn=([^,]+),ou=([^,]+),dc=com"
	by dn="cn=$1,ou=$2,dc=com" write
	by * none

> 3.child node can read it's own father node

access to dn="cn=([^,]+),ou=([^,]+),dc=com"
	by dn="[^,]+,cn=$1,ou=$2,dc=com" read
	by * none

> 4.every node can write itself

access to *
    by self write
    by * none


note:
1) this ACLs are considered to work "stand alone", so you'll have to 
figure out yourself how to combine them..
2) i haven't tried any of these, so they might be buggy or not work at 
all.. trial and error may be a good way in this case.. :o)
3) remind that ACLs are processed from top to bottom, and slapd quits 
ACL parsing as soon as one of the clauses matches both "to" and "by" 
conditions
4) the ACLs are designed to work on just one level, to get them to work 
with children at deeper levels, you'll have to "generalize" the dn's a 
bit..
5) the ACLs are definitively not design to work "as is", you _will_ have 
to do significant rework..

AFAIR there are also some interesting discussions in the archive of this 
list.
http://www.openldap.org/lists/openldap-software/

hth,
daniel