[Date Prev][Date Next] [Chronological] [Thread] [Top]

Help for special ACL needed

To: openldap-technical@openldap.org
Subject: Help for special ACL needed
From: Florian Götz <f.goetz@hs-mannheim.de>
Date: Thu, 30 Apr 2009 11:44:15 +0200
Content-disposition: inline
Organization: Hochschule Mannheim
User-agent: KMail/1.11.2 (Linux/2.6.28-11-generic; KDE/4.2.2; i686; ; )

A warm "Hello" from germany to the openldap-technical list!

I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server.
I need to write an ACL which allows a user to see his own entry (objectClass 
build up on inetOrgPerson) and nothing else.
I know that this isn´t the intended use of the LDAP system, but our manager 
wants it that way.

I tried it with somekind of that:

access to dn.regex="uid=([^,]+),dc=justushere,dc=de$" attrs=entry
  by dn.regex="uid=$1,ou=Users,dc=justushere,dc=de" write
  by users none

but I just get a message about invalid credentials.
Used command was:
ldapsearch -xWD uid=user1,ou=users,dc=justushere,dc=de uid=user1


ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=user1  with the rootdn 
account shows the information, but if the uid of the user1 is used for binding 
it fails.

Has  anyone an idea how to realize these restrictions?
Additionally not all attributes should get listed to the user, only a few 
important for him. My idea was to use a ACL like the above to be sure the user 
only gets access to his object and then add a second ACL below who restricts 
the access to the important attributes.


Best regards
Florian Götz

Follow-Ups:
- Re: Help for special ACL needed
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Help for special ACL needed
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: CSN Too Old potential Bug
Next by Date: Re: Help for special ACL needed
Index(es):
- Chronological
- Thread