[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Naive question



Hari,

turba/horde (http://www.horde.org/turba/) is handling that in a way that
users can have their own address book under their own entry:

The user:
dn: uid=User,ou=People,dc=foo,dc=bar

The address book:
dn: ou=ABook,uid=User,ou=People,dc=foo,dc=bar

That way you have a global address book under
dn: ou=People,dc=foo,dc=bar

and a personal one under the entry of each user; but, since

access to
dn.subtree="ou=PersonalAddressBook,uid=User,ou=People,dc=foo,dc=bar"
        by self write
        by dn="cn=Admin,dc=foo,dc=bar" write
        by users read

(see http://www.openldap.org/software/man.cgi?query=slapd.access)

must not work ('self' in my understanding only refers to
'uid=User,ou=People,dc=foo,dc=bar' in this example, not the entire
subtree), you'll yet have to add an access rule for every user with
his/her own personal address book, like

access to dn.subtree="uid=User,ou=People,dc=foo,dc=bar"
        by dn="uid=User,ou=People,dc=foo,dc=bar" write
        by dn="cn=Admin,dc=foo,dc=bar" write
        by users read

Not quite what you (and me too) wanted, right?!

Max

Hariharan Gopalan wrote:
> I am looking to openldap to provide contact database for my organization.
> What I am hoping is that the members would be able to maintain their own
> contact information upto date, without anyone having to maintain this
> manually. Am I looking at record level access control for this? Am just
> trying it out, and struggling with it, so thought it better to get this
> cleared before I put in more time!