tir, 2002-09-17 kl. 19:12 skrev Flavio Alves: > I'm new to LDAP, and I have some doubts regarding LDAP it self and ACL. So'm I and so have I. > What I really need is that a User (Jonny Gogogo for instance) to have access > to it's entry and also it's subtree. > When A user authenticates, he gains access to this entries... > + -- cn=User X,cn=users,dc=example,dc=com > + -- cn=Application 1,cn=User X,cn=users,dc=example,dc=com > + -- cn=Application 2,cn=User X,cn=users,dc=example,dc=com > + -- cn=Application 3,cn=User X,cn=users,dc=example,dc=com To my pea-like brain, you can't go from right to left, you have to go from left to right. You'd have to create a group to which Jonny Gogo has sole access (along with Admin or whatever you call your manager), and then give those two (or more, for that matter) complete access to it. Put whatever Jonny has access to in that group: access to dn="cn=Gogothings,cn=users,dc=example,dc=com" by anonymous auth by dn="cn=Jonny Gogo,cn=users,dc=example,dc=com" write by dn="cn=Admin,cn=users,dc=example,dc=com" write by * none dn: ou=Gogothings,cn=users,dc=example,dc=com objectClass: top objectClass: account objectClass: extensibleObject userid: Gogothings description: App1 description: App2 description: App2 description: App2 I dunno. I just picked an objectClass out of the Openldaps standard schemas that works with GQ. There are most probably more suitable objectClasses. But something like that. Now I'm looking forward to someone teeling me a better way :-) Best, Tony -- Tony Earnshaw Tha can allway tell a Yorkshireman, but tha canna tell 'im much. e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
Attachment:
signature.asc
Description: Dette er en digitalt signert meldingsdel