[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL for only creating entry (SOLVED)

To: <openldap-software@OpenLDAP.org>
Subject: ACL for only creating entry (SOLVED)
From: <adamtheo@theoretic.com>
Date: Sat, 20 Dec 2003 02:22:19 -0600 (CST)
Importance: Normal

To Ace Suares, Pierangelo Masarati, and others of the list:

Pierangelo's suggestion for the ACL's to get the desired result of
allowing a UID to add new entries to a branch of the LDAP directory, but
also being denied access to read or write to them immediately after
creation (for the purpose of setting up an account registration form for
the general public to use to create accounts for themselves) has worked.

I had to figure out where to place his snippet, but after a short trial
and error period, this is my final and complete ACL entry for my
Directory:


<quote from='/etc/openldap/slapd.conf'>

access to attr=userPassword
        by self write
        by anonymous auth

access to dn.base="ou=users,dc=theoretic,dc=com"
        by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
        by anonymous auth
        by users read
        by self write
        by * none

access to dn.children="ou=users,dc=theoretic,dc=com"
       by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" =xcsw

</quote>

These ACL's allow 'uid=webregister' to create a new 'uid' entry under
'ou=users', but forbids it from seeing those entries (both those it
creates and already existing ones), even forbidding write access.

Thank you everyone!

Follow-Ups:
- Re: ACL for only creating entry (SOLVED)
  - From: Pierangelo Masarati <ando@sys-net.it>
- fail to add an entry with PERL LDAP module
  - From: Thierno Cissé <thierno.cisse@sentoo.sn>

Prev by Date: Re: Answering frequently asked questions
Next by Date: Re: ACL for only creating entry (SOLVED)
Index(es):
- Chronological
- Thread