[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs: Dn.subtree + dnattr
At 09:02 AM 6/22/2005, Florian Hochstrasser wrote:
>Dear List
>
>Can anybody point me in the right way? I have a problem with specifying acls which depend on the 'dnattr' who-qualifier. Unfortunately, the 'dnattr' is not documented too well and I couldn't get it working until now.
>Here's the setup:
>
>I have a hierarchy like this:
>
>l=Location1,ou=bla,o=blabla,dc=example,dc=com
>
>The location objectclass:
>
>objectclass ( 1.1.2.2.9 NAME 'myLocality'
> DESC 'a locality object'
> SUP locality STRUCTURAL
> MUST objectclass
> MAY ( admin $ timeZone $ itDomainID $ adminMail $ mail $ description $
> postalAddress $ c $ telephoneNumber $ facsimileTelephoneNumber ) )
>
>Now on the 'l' objects, I created the attribute 'admin' which holds the dn's of people who are (or should be ...) allowed to edit and create entries below the l's.
>
>My acl for such a location looks like this:
>
>access to dn.subtree="l=something,ou=bla,o=blabla,dc=example,dc=com"
>attrs=telephoneNumber,facsimileTelephoneNumber,description,title,homePostalAddress,ou,l,departmentNumber,employeeNumber,givenName,jpegPhoto,roomNumber,secretary,manager,recordType,function,languageSkill,friendlyCountryName,initials,sn,givenname,cn,objectclass,userpassword
> by dnattr=Admin write
Target objects in the named subtree may be written by
whoever is listed in the target object's Admin attribute.
Seems what you want is something like:
by group/myLocality/Admin="l=something,ou=bla,o=blabla,dc=example,dc=com"
write
>There are different admins for each location, and I have many of them so it would be a good thing if I could keep the existing structure and still get it to work.
You might consider using regex/expand facilities.
See slapd.access(5), the Admin Guide, and answers under
<http://www.openldap.org/faq/index.cgi?file=189>http://www.openldap.org/faq/index.cgi?file=189
for details.
>Thank you very much for your help.
>
>Regards, Florian
>
>____________________________________________________________
>This message may contain legally privileged or confidential
>information and is therefore addressed to the named persons only.
>The recipient should inform the sender and delete this message,
>if he/she is not named as addressee.
>The sender disclaims any and all liability for the integrity
>and punctuality of this message.
>The sender has activated an automatic virus scanning by
>Messagelabs, but does not guarantee the virus free
>transmission of this message.