[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Let logged-in users see their accounts

To: openldap-software@OpenLDAP.org
Subject: Re: Let logged-in users see their accounts
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Sun, 12 Dec 2004 10:54:54 +0100
In-reply-to: <018101c4e00a$8c81ad20$9db30b44@dpboxen> (fuser9bb@hotpop.com's message of "Sat, 11 Dec 2004 23:22:05 -0600")
References: <018101c4e00a$8c81ad20$9db30b44@dpboxen>
User-agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.4 (Rational FORTRAN, linux)

<fuser9bb@hotpop.com> writes:

> I am using OpenLDAP 2.2.15 on RHES3.
>
> I would like to let an account see its own attributes and what groups it
> belongs to, but not be able to view other accounts or groups that it does
> not belong to. This is a requirement of how a lot of applications work
> (e.g., they look at the account you login as and check which groups you
> belong to).
[...]
> access to dn.subtree="uid=[self],ou=Accounts,dc=xxx"
>         by self read

access to dn.regex="^uid=([^,])+,,ou=Accounts,dc=xx$"
                attrs=entry,children,@yourObjectClass
        by dn.exact,expand="uid=$1,ou=accounts,dc=xx" write
        by * none

http://www.openldap.org/faq/data/cache/653.html
http://www.openldap.org/faq/data/cache/973.html

> access to dn.subtree="cn=[in-this-group],ou=Groups,dc=xxx"
>         by self-in-group read
http://www.openldap.org/faq/data/cache/52.html

> I have been reviewing slapd.access but haven't seen a solution so far. I'm
> not sure if there is one.

http://www.openldap.org/faq/data/cache/973.html


-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53

References:
- Let logged-in users see their accounts
  - From: <fuser9bb@hotpop.com>

Prev by Date: Supporting apps that work wtih AD and memberOf
Next by Date: Re: Maintaining information about who owns what..
Index(es):
- Chronological
- Thread