[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Openldap fine grained / advanced ACLs
So basically I can do:
to * by cn=admin,dc=company,dc=com add by cn=faraz,dc=company,dc=com zap
That is indeed not documented anywhere. Will start an ITS
Pierangelo Masarati wrote:
Faraz R. Khan wrote:
Is it possible to have fine grained ACLs in OpenLDAP? My problem is
that the 'write' access is too broad. I wish to be able to control
ADD, modify and delete separately. I tried looking at
aacls.sourceforge.net but it involves the setup of a separate server
and looks abandoned.
Any pointers would be appreciated- maybe the denyop module? I was
trying to find some docs but all I could find was a FAQ entry.
OpenLDAP 2.4 allows to split the write privilege into "a" (add) and "z"
(zap). A separate privilege for "modify" does not make too much sense
to me: if a value is added, then one just needs "add"; if a (set of)
value(s) is replaced, then one needs both "zap" (to delete old values)
and "add" (to add new ones), and thus "write" is just fine. On a
related note, I just realized this is not documented anywhere but in the
mailing list. I suggest you file an ITS <http://ww.openldap.org/its/>
to request a documentation update.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: ando@sys-net.it
-----------------------------------
--
Faraz R Khan
Chief Architect
Emergen Consulting Pvt Ltd
+92.21.529.0381 x200
www.emergen.biz