[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access rule for multiple attributetypes
Kurt,
Thanks for the reply. Have you tried this method? Perhaps I am doing
something wrong but it does not seem to work.
The following is from man slapd.access
The statement attrs=<attrlist> selects the attributes the
access control rule applies to. It is a comma-separated
list of attribute types, plus the special names entry, indi-
cating access to the entry itself, and children, indicating
access to the entry's children. ObjectClass names may also
be specified in this list, which will affect all the attri-
butes that are required and/or allowed by that objectClass.
Actually, names in <attrlist> that are prefixed by @ are
directly treated as objectClass names. A name prefixed by !
is also treated as an objectClass, but in this case the
access rule affects the attributes that are not required nor
allowed by that objectClass.
I have defined an objectclass like this as a test
objectclass ( BathObjectClass:8 NAME 'BathDOEPerson'
DESC 'Allow ACL for bathdoe attributes'
SUP top
MAY ( bathdoepublications )
)
and an ACL like this
access to attr=@bathdoeperson
by self write
by dn.base="cn=directory manager,o=bath.ac.uk" write
by * none
Does this correct to you?
--On 10 September 2004 14:07 -0700 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
wrote:
At 02:58 AM 9/10/2004, Paul Christie wrote:
I have about 30 attributes all with names starting with 'bathdoe' I need
to set an access rule in slapd.conf for all of them. Is there a way to
do this without repeating the rule many times?
You can define an auxiliary class which allows all these attributes,
then use that class in your ACLs. See slapd.conf(5) for details.
It does not look as though it is possible to split the list of
attributes over more then one line so the number of attributes per
access statement is limited, especially if if you want the statements to
look tidy.
Paul Christie
Bath University Computing Services
Paul Christie
Bath University Computing Services