[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

To: Digant C Kasundra <digant@uta.edu>
Subject: Re: Access control
From: John Borwick <borwicjh@wfu.edu>
Date: Tue, 25 May 2004 13:50:24 -0400
Cc: openldap-software@OpenLDAP.org
In-reply-to: <40B37A09.5090405@uta.edu>
Organization: Wake Forest University
References: <40B37A09.5090405@uta.edu>
User-agent: Mozilla Thunderbird 0.6 (X11/20040505)

Digant C Kasundra wrote:

Hello everyone,
I'm trying to see if/how the following access controls could be written:
1. Allow * to read attributes (name, email, phonenumber) in entries in the "cn=people,dc=uta,dc=edu" subtree *IF* attribute viewableAttributes=email. (I can understand how to do this for the most part except for the *IF* condition).


Here's a rule I wrote yesterday:

access to dn.subtree="ou=Users,dc=wfu,dc=edu"
        attr=entry,wfuIsPublic,objectClass,uid
        filter=(wfuIsPublic=Y)
        by * read

slapd.access(5) doesn't make clear that you can have all three qualifiers on one access line, but you can.

2. Allows write access to users who have the attribute userPrivs=admin.


You may want to create an Admin group... at which point you can say:

access to dn.subtree="whatever"
        by group="cn=Admin,dc=group,dc=wfu,dc=edu" write
	by * break

For others: does the "group" specification used here respect "memberOf"?

HTH,
John
--
           John Borwick
       Systems Administrator
      Wake Forest University | web  http://www.wfu.edu/~borwicjh
      Winston-Salem, NC, USA | GPG key ID               7F1F051B

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: Access control
  - From: Rich Graves <rcgraves@brandeis.edu>
- Re: Access control
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Access control
  - From: Digant C Kasundra <digant@uta.edu>

Prev by Date: Access control
Next by Date: Re: Access control
Index(es):
- Chronological
- Thread