[Date Prev][Date Next] [Chronological] [Thread] [Top]

idea for access rules

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: idea for access rules
From: Stefan Palme <palme@kapott.org>
Date: Sun, 21 Feb 2010 13:03:23 +0100
Organization: Invisible Brain

Hi all,

maybe this is not the right list for this question, in this case 
I apologize for this post..

I have no idea to define access rules for the following case. Have
an LDAP tree like this:

ou=users
  cn=me
ou=data
  ou=data1, owner=cn=me,ou=users
    cn=fact1
    cn=fact2
  ou=data2, owner=cn=somebodyelse,ou=users
    cn=fact3
    cn=fact4

(one line represents one LDAP entry with some of its attributes, 
the level of indentation represents the tree structure) 

The point is the subtree starting at "ou=data1". The root node of this
subtree (ou=data1) has an attribute "owner" with a DN of a user account
which can be used to bind to the LDAP server (cn=me,ou=users).

Now I want to define, that this specific user has write access to
some attributes of cn=fact1,ou=data1 and cn=fact2,ou=data2 etc...

I am searching for a rule like this:

access 
  to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3"
  by dnattr="owner of node ou=data1,ou=data" write
  
Obviously, this dnattr syntax is not valid, but I guess you see
what I want. Any ideas how to realize this? 

Thanks for any hints

Regards
-stefan-

Follow-Ups:
- Re: idea for access rules
  - From: masarati@aero.polimi.it

Prev by Date: Re: Syncrepl for AD replication
Next by Date: Re: idea for access rules
Index(es):
- Chronological
- Thread