Re: Access control

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, May 25, 2004 1:50 PM -0400 John Borwick <borwicjh@wfu.edu> 
wrote:

> Digant C Kasundra wrote:
> > Hello everyone,
> >
> > I'm trying to see if/how the following access controls could be written:
> >
> > 1.  Allow * to read attributes (name, email, phonenumber) in entries in
> > the "cn=people,dc=uta,dc=edu" subtree *IF* attribute
> > viewableAttributes=email.
> > (I can understand how to do this for the most part except for the *IF*
> > condition).
>
> Here's a rule I wrote yesterday:
>
> access to dn.subtree="ou=Users,dc=wfu,dc=edu"
>          attr=entry,wfuIsPublic,objectClass,uid
>          filter=(wfuIsPublic=Y)
>          by * read
>
> slapd.access(5) doesn't make clear that you can have all three qualifiers
> on one access line, but you can.
>
> > 2. Allows write access to users who have the attribute userPrivs=admin.
>
> You may want to create an Admin group... at which point you can say:
>
> access to dn.subtree="whatever"
>          by group="cn=Admin,dc=group,dc=wfu,dc=edu" write
> 	by * break
>
> For others: does the "group" specification used here respect "memberOf"?

In 2.2, another possibility would to be create a dynamic group who's 
members are determined by userPrivs=admin, and just give that group write 
access.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html