[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: "children" keyword in the field <what> of an ACL
Hi,
François Beretti <francois.beretti@enatel.com> writes:
> Thank you for your answer, Edward
> so here is my problem :
>
> I want to give to each person of my directory (so each entry implementing
> the "person" objectclass) some rights on the entries of their own subtree,
> depending on which objectclass the entry implements
>
> for exemple, if every user has sub-entries of the class "storage", I want
> the users to have read access on their 'storage' entries
> same for other sub-entries, implementing objectclass "parameter" on which I
> want the user to have write access (but only for their own subtree)
>
> That doesn't seem to be possible at the moment...
You may want to have a look at access control information (aci). You
could grant permissions to each subentry by defining indiviual access-id's
which could be a users DN. An aci could look like
dn:cn=storage
objectclass:whatever
userPassword:xxxx
openLDAPaci:1.3.6.1.4.1.14658.3.3#entry#grant;w,r,s,c;userPassword#access-id#cn=admanager,o=kluenter
In this example write access to the attribute userPassword is granted
to the access-id "cn=admanger,o=kluenter". For more info see
http://www.openldap.org/faq/data/cache/634.html
-Dieter
--
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de