[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (raise question again) how to configure LDAP to allow each logged-in user to modify the subtree of the current user?



Zhang Weiwu writes:
> Is it possible to define ACL that every user who successfully bind-ed
> (logged in) that this user can modify their own entry as well as the sub
> entries of them?
>
> e.g.
> dn: ou=support,xxx
>
> if one connection is bind to this dn, it can modify these entries:
>
> dn: cn=Wang Penghui,ou=support,xxx
> dn: cn=Zhang Weiwu,ou=support,xxx

Something like this:

access to attrs=userPassword
	by self  =wx
	by *  auth

access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$"
	by dn.expand="$2"  write
	by *  read

Since you must first say what to access and then who should get access
to it, this variant depends on getting the regex for who can access
things exactly right.

This prevents 'ou' users from changing someone else's userPassword though.
So you can put this at the top to combine the two accesses:

access to attrs=userPassword dn.regex="^(.+,)?(ou?=[^,]+,xxx)$"
	by self  write
	by dn.expand="$2" write
	by *  read

Or you could do something like this (untested):

access to * by * read  break

access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$"
	by dn.expand="$2"  write  break
	by *  +0  break

access to attrs=userPassword
	by self  =wx
	by *  -rscd

access to * by * +0

The 'break' means to go on and process the next access statements even
when the 'to' matches the entry being accessed.  '+' and '-' means to
add or subtract from the access already granted.  The final access
matches everything and stops the default access rules to be used,
so things done with 'break' does not get overridden unexpectedly.

-- 
Regards,
Hallvard