Re: "children" keyword in the field <what> of an ACL

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

François Beretti <francois.beretti@enatel.com> writes:

> Thank you for your answer, Edward

> so here is my problem :
>
> I want to give to each person of my directory (so each entry implementing
> the "person" objectclass) some rights on the entries of their own subtree,
> depending on which objectclass the entry implements
>
> for exemple, if every user has sub-entries of the class "storage", I want
> the users to have read access on their 'storage' entries
> same for other sub-entries, implementing objectclass "parameter" on which I
> want the user to have write access (but only for their own subtree)
>
> That doesn't seem to be possible at the moment...

You may want to have a look at access control information (aci). You
could grant permissions to each subentry by defining indiviual access-id's
which could be a users DN. An aci could look like

dn:cn=storage
objectclass:whatever
userPassword:xxxx
openLDAPaci:1.3.6.1.4.1.14658.3.3#entry#grant;w,r,s,c;userPassword#access-id#cn=admanager,o=kluenter

In this example write access to the attribute userPassword is granted
to the access-id "cn=admanger,o=kluenter". For more info see

http://www.openldap.org/faq/data/cache/634.html

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de