[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs: Dn.subtree + dnattr

To: "Florian Hochstrasser" <florian.hochstrasser@swisslog.com>
Subject: Re: ACLs: Dn.subtree + dnattr
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 24 Jun 2005 19:45:10 -0700
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <24EEAB6B0F6C6C42814AB69E201B34C38DBA2A@schb7sw3-011.schb7. swisslog.net>
References: <24EEAB6B0F6C6C42814AB69E201B34C38DBA2A@schb7sw3-011.schb7.swisslog.net>

At 09:02 AM 6/22/2005, Florian Hochstrasser wrote:
>Dear List
>
>Can anybody point me in the right way? I have a problem with specifying acls which depend on the 'dnattr' who-qualifier. Unfortunately, the 'dnattr' is not documented too well and I couldn't get it working until now.
>Here's the setup: 
>
>I have a hierarchy like this:
>
>l=Location1,ou=bla,o=blabla,dc=example,dc=com
>
>The location objectclass:
>
>objectclass ( 1.1.2.2.9 NAME 'myLocality'
>    DESC 'a locality object'
>    SUP locality STRUCTURAL
>    MUST objectclass
>    MAY ( admin $ timeZone $ itDomainID $ adminMail $ mail $ description $ 
>        postalAddress $ c $ telephoneNumber $ facsimileTelephoneNumber ) )
>
>Now on the 'l' objects, I created the attribute 'admin' which holds the dn's of people who are (or should be ...) allowed to edit and create entries below the l's.
>
>My acl for such a location looks like this:
>
>access to dn.subtree="l=something,ou=bla,o=blabla,dc=example,dc=com"
>attrs=telephoneNumber,facsimileTelephoneNumber,description,title,homePostalAddress,ou,l,departmentNumber,employeeNumber,givenName,jpegPhoto,roomNumber,secretary,manager,recordType,function,languageSkill,friendlyCountryName,initials,sn,givenname,cn,objectclass,userpassword
>        by dnattr=Admin write

Target objects in the named subtree may be written by
whoever is listed in the target object's Admin attribute. 

Seems what you want is something like:
 by group/myLocality/Admin="l=something,ou=bla,o=blabla,dc=example,dc=com"
   write


>There are different admins for each location, and I have many of them so it would be a good thing if I could keep the existing structure and still get it to work.

You might consider using regex/expand facilities.

See slapd.access(5), the Admin Guide, and answers under
<http://www.openldap.org/faq/index.cgi?file=189>http://www.openldap.org/faq/index.cgi?file=189
for details.



>Thank you very much for your help.
>
>Regards, Florian
>
>____________________________________________________________
>This message may contain legally privileged or confidential 
>information and is therefore addressed to the named persons only. 
>The recipient should inform the sender and delete this message, 
>if he/she is not named as addressee. 
>The sender disclaims any and all liability for the integrity 
>and punctuality of this message. 
>The sender has activated an automatic virus scanning by 
>Messagelabs, but does not guarantee the virus free 
>transmission of this message.

References:
- ACLs: Dn.subtree + dnattr
  - From: "Florian Hochstrasser" <florian.hochstrasser@swisslog.com>

Prev by Date: Re: access to * by * write (stil I can't delete the root dn)
Next by Date: Re: ldapsearch
Index(es):
- Chronological
- Thread