[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL questions




I would like to implement the following pseudo-ACL:

access to dn=".*,ou=addressbook,uid=($1),ou=people,o=root"
   by dn="uid=($1),ou=people,o=root" write
   by * none

That is, each user can create children of his own ou=addressbook, which is a child of his ou=people entry.

Obviously, I could implement this by having a seperate entry in slapd.conf for each user. That this is undesirable is equally obvious.

I think I could do it with something like
by dnattr=owner
but then, wouldn't every object below ou=addressbook have to have an owner attribute (which seems rather wasteful)? Or can I somehow do it so that just the ou=addressbook entry has an owner attribute, but the user has write access to all objects below that in the tree?



I would also like to know how a domain-based ACL like
by domain=example.com
is compared. Is domain resolved to an IP and then compared to the client IP? Or is the client IP reverse-lookuped and then compared tot the domain? Can I just use IP addresses directly as domain entries? What about stuff like 192.0.1.* and 192.0.1.0/24?