[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (raise question again) how to configure LDAP to allow each logged-in user to modify the subtree of the current user?



On Tue, 2007-05-15 at 17:08 +0200, Hallvard B Furuseth wrote:
> Zhang Weiwu writes:
> > Is it possible to define ACL that every user who successfully bind-ed
> > (logged in) that this user can modify their own entry as well as the sub
> > entries of them?
> >
> > e.g.
> > dn: ou=support,xxx
> >
> > if one connection is bind to this dn, it can modify these entries:
> >
> > dn: cn=Wang Penghui,ou=support,xxx
> > dn: cn=Zhang Weiwu,ou=support,xxx
> 
> Something like this:
> 
> access to attrs=userPassword
> 	by self  =wx
> 	by *  auth
> 
> access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$"
> 	by dn.expand="$2"  write
> 	by *  read
> 
> Since you must first say what to access and then who should get access
> to it, this variant depends on getting the regex for who can access
> things exactly right.
> 
> This prevents 'ou' users from changing someone else's userPassword though.
> So you can put this at the top to combine the two accesses:
> 
> access to attrs=userPassword dn.regex="^(.+,)?(ou?=[^,]+,xxx)$"
> 	by self  write
> 	by dn.expand="$2" write
> 	by *  read
> 
> Or you could do something like this (untested):
> 
> access to * by * read  break
> 
> access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$"
> 	by dn.expand="$2"  write  break
> 	by *  +0  break
> 
> access to attrs=userPassword
> 	by self  =wx
> 	by *  -rscd
> 
> access to * by * +0
> 
> The 'break' means to go on and process the next access statements even
> when the 'to' matches the entry being accessed.  '+' and '-' means to
> add or subtract from the access already granted.  The final access
> matches everything and stops the default access rules to be used,
> so things done with 'break' does not get overridden unexpectedly.


Thanks very much for this very detailed and helpful answer! I think now
I am very close to getting my system configured :)