[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Let logged-in users see their accounts



<fuser9bb@hotpop.com> writes:

> I am using OpenLDAP 2.2.15 on RHES3.
>
> I would like to let an account see its own attributes and what groups it
> belongs to, but not be able to view other accounts or groups that it does
> not belong to. This is a requirement of how a lot of applications work
> (e.g., they look at the account you login as and check which groups you
> belong to).
[...]
> access to dn.subtree="uid=[self],ou=Accounts,dc=xxx"
>         by self read

access to dn.regex="^uid=([^,])+,,ou=Accounts,dc=xx$"
                attrs=entry,children,@yourObjectClass
        by dn.exact,expand="uid=$1,ou=accounts,dc=xx" write
        by * none

http://www.openldap.org/faq/data/cache/653.html
http://www.openldap.org/faq/data/cache/973.html

> access to dn.subtree="cn=[in-this-group],ou=Groups,dc=xxx"
>         by self-in-group read
http://www.openldap.org/faq/data/cache/52.html

> I have been reviewing slapd.access but haven't seen a solution so far. I'm
> not sure if there is one.

http://www.openldap.org/faq/data/cache/973.html


-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53