[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACLs: Dn.subtree + dnattr
- To: <openldap-software@OpenLDAP.org>
- Subject: ACLs: Dn.subtree + dnattr
- From: "Florian Hochstrasser" <florian.hochstrasser@swisslog.com>
- Date: Wed, 22 Jun 2005 18:02:10 +0200
- Content-class: urn:content-classes:message
- Thread-index: AcV3Pc8B8Xj6BbEVT6KHKA/D1Q3CCwAADbKQAAFmqfA=
- Thread-topic: ACLs: Dn.subtree + dnattr
Dear List
Can anybody point me in the right way? I have a problem with specifying acls which depend on the 'dnattr' who-qualifier. Unfortunately, the 'dnattr' is not documented too well and I couldn't get it working until now.
Here's the setup:
I have a hierarchy like this:
l=Location1,ou=bla,o=blabla,dc=example,dc=com
The location objectclass:
objectclass ( 1.1.2.2.9 NAME 'myLocality'
DESC 'a locality object'
SUP locality STRUCTURAL
MUST objectclass
MAY ( admin $ timeZone $ itDomainID $ adminMail $ mail $ description $
postalAddress $ c $ telephoneNumber $ facsimileTelephoneNumber ) )
Now on the 'l' objects, I created the attribute 'admin' which holds the dn's of people who are (or should be ...) allowed to edit and create entries below the l's.
My acl for such a location looks like this:
access to dn.subtree="l=something,ou=bla,o=blabla,dc=example,dc=com"
attrs=telephoneNumber,facsimileTelephoneNumber,description,title,homePostalAddress,ou,l,departmentNumber,employeeNumber,givenName,jpegPhoto,roomNumber,secretary,manager,recordType,function,languageSkill,friendlyCountryName,initials,sn,givenname,cn,objectclass,userpassword
by dnattr=Admin write
by * read
There are different admins for each location, and I have many of them so it would be a good thing if I could keep the existing structure and still get it to work.
Thank you very much for your help.
Regards, Florian
____________________________________________________________
This message may contain legally privileged or confidential
information and is therefore addressed to the named persons only.
The recipient should inform the sender and delete this message,
if he/she is not named as addressee.
The sender disclaims any and all liability for the integrity
and punctuality of this message.
The sender has activated an automatic virus scanning by
Messagelabs, but does not guarantee the virus free
transmission of this message.