[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL questions

To: OpenLDAP-software@OpenLDAP.org
Subject: ACL questions
From: David Wright <ichbin@shadlen.org>
Date: Mon, 03 Jun 2002 02:57:06 -0700
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) Gecko/20020531 Debian/1.0rc3-2


I would like to implement the following pseudo-ACL:

access to dn=".*,ou=addressbook,uid=($1),ou=people,o=root"
   by dn="uid=($1),ou=people,o=root" write
   by * none

That is, each user can create children of his own ou=addressbook, which is a child of his ou=people entry.

Obviously, I could implement this by having a seperate entry in slapd.conf for each user. That this is undesirable is equally obvious.

I think I could do it with something like by dnattr=owner but then, wouldn't every object below ou=addressbook have to have an owner attribute (which seems rather wasteful)? Or can I somehow do it so that just the ou=addressbook entry has an owner attribute, but the user has write access to all objects below that in the tree?

I would also like to know how a domain-based ACL like by domain=example.com is compared. Is domain resolved to an IP and then compared to the client IP? Or is the client IP reverse-lookuped and then compared tot the domain? Can I just use IP addresses directly as domain entries? What about stuff like 192.0.1.* and 192.0.1.0/24?

Prev by Date: ldapadd: invalid per syntax
Next by Date: Re: Replicating Lotus Domino Master LDAP Server with OPENLDAP Slave server
Index(es):
- Chronological
- Thread