Hi! Since i got OpenLDAP running now, i would like to know how i can give each user access to change it's OWN profile/address book entry. The user should log into ldap with his email address and a password. The question: Where do i set it's password? I guess i could make a atribute "password" but what about the samba/unix/email login password? They should all be the same, and i don't want to make multiple password atributes in my object units. ( i hope i uses atribute and object units right here)
My current DB:
dc=my-domain,dc=com
ou=addressbook
cn=Mario test
cn=test test
[snip]
First, have a place where you store the actual people, e.g. uid=user1,ou=Users,dc=example,dc=com
Now, let's say you have another location where you want data to be stored: cn=user1,ou=Address Book,dc=example,dc=com
After checking out slapd.access(5), you can write rules like so:
# after guarding your userPasswords and other data...
# this rule allows the user to modify him or herself access to dc.subtree="ou=Users,dc=example,dc=com" by self write by * read
# this rule allows the user to modify his or her addressbook access to dc.regex="cn=(.*),ou=Address Book,dc=example,dc=com" # what matched above in the first parentheses gets put in $1: by "uid=$1,ou=Users,dc=example,dc=com" write
Please see slapd.access(5) for more information.
(Note: rules as above have not been tested.)
HTH,
John
--
John Borwick
Systems Administrator
Wake Forest University | web http://www.wfu.edu/~borwicjh
Winston-Salem, NC, USA | GPG key ID 56D60872
Attachment:
signature.asc
Description: OpenPGP digital signature