[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (raise question again) how to configure LDAP to allow each logged-in user to modify the subtree of the current user?
On Tue, 2007-05-15 at 17:08 +0200, Hallvard B Furuseth wrote:
> Zhang Weiwu writes:
> > Is it possible to define ACL that every user who successfully bind-ed
> > (logged in) that this user can modify their own entry as well as the sub
> > entries of them?
> >
> > e.g.
> > dn: ou=support,xxx
> >
> > if one connection is bind to this dn, it can modify these entries:
> >
> > dn: cn=Wang Penghui,ou=support,xxx
> > dn: cn=Zhang Weiwu,ou=support,xxx
>
> Something like this:
>
> access to attrs=userPassword
> by self =wx
> by * auth
>
> access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$"
> by dn.expand="$2" write
> by * read
>
> Since you must first say what to access and then who should get access
> to it, this variant depends on getting the regex for who can access
> things exactly right.
>
> This prevents 'ou' users from changing someone else's userPassword though.
> So you can put this at the top to combine the two accesses:
>
> access to attrs=userPassword dn.regex="^(.+,)?(ou?=[^,]+,xxx)$"
> by self write
> by dn.expand="$2" write
> by * read
>
> Or you could do something like this (untested):
>
> access to * by * read break
>
> access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$"
> by dn.expand="$2" write break
> by * +0 break
>
> access to attrs=userPassword
> by self =wx
> by * -rscd
>
> access to * by * +0
>
> The 'break' means to go on and process the next access statements even
> when the 'to' matches the entry being accessed. '+' and '-' means to
> add or subtract from the access already granted. The final access
> matches everything and stops the default access rules to be used,
> so things done with 'break' does not get overridden unexpectedly.
Thanks very much for this very detailed and helpful answer! I think now
I am very close to getting my system configured :)