[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Let logged-in users see their accounts
<fuser9bb@hotpop.com> writes:
> I am using OpenLDAP 2.2.15 on RHES3.
>
> I would like to let an account see its own attributes and what groups it
> belongs to, but not be able to view other accounts or groups that it does
> not belong to. This is a requirement of how a lot of applications work
> (e.g., they look at the account you login as and check which groups you
> belong to).
[...]
> access to dn.subtree="uid=[self],ou=Accounts,dc=xxx"
> by self read
access to dn.regex="^uid=([^,])+,,ou=Accounts,dc=xx$"
attrs=entry,children,@yourObjectClass
by dn.exact,expand="uid=$1,ou=accounts,dc=xx" write
by * none
http://www.openldap.org/faq/data/cache/653.html
http://www.openldap.org/faq/data/cache/973.html
> access to dn.subtree="cn=[in-this-group],ou=Groups,dc=xxx"
> by self-in-group read
http://www.openldap.org/faq/data/cache/52.html
> I have been reviewing slapd.access but haven't seen a solution so far. I'm
> not sure if there is one.
http://www.openldap.org/faq/data/cache/973.html
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53