[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: idea for access rules

To: "Stefan Palme" <palme@kapott.org>
Subject: Re: idea for access rules
From: masarati@aero.polimi.it
Date: Sun, 21 Feb 2010 13:26:02 +0100 (CET)
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Importance: Normal
In-reply-to: <1266753803.7621.12.camel@drops.kapott.org>
References: <1266753803.7621.12.camel@drops.kapott.org>
User-agent: SquirrelMail/1.4.15

> Hi all,
>
> maybe this is not the right list for this question, in this case
> I apologize for this post..
>
> I have no idea to define access rules for the following case. Have
> an LDAP tree like this:
>
> ou=users
>   cn=me
> ou=data
>   ou=data1, owner=cn=me,ou=users
>     cn=fact1
>     cn=fact2
>   ou=data2, owner=cn=somebodyelse,ou=users
>     cn=fact3
>     cn=fact4
>
> (one line represents one LDAP entry with some of its attributes,
> the level of indentation represents the tree structure)
>
> The point is the subtree starting at "ou=data1". The root node of this
> subtree (ou=data1) has an attribute "owner" with a DN of a user account
> which can be used to bind to the LDAP server (cn=me,ou=users).
>
> Now I want to define, that this specific user has write access to
> some attributes of cn=fact1,ou=data1 and cn=fact2,ou=data2 etc...
>
> I am searching for a rule like this:
>
> access
>   to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3"
>   by dnattr="owner of node ou=data1,ou=data" write
>
> Obviously, this dnattr syntax is not valid, but I guess you see
> what I want. Any ideas how to realize this?

Try

access to dn.children="ou=data1,ou=data"
        by set="[ou=data1,ou=data]/owner & user" write

p.

Follow-Ups:
- Re: idea for access rules
  - From: Stefan Palme <palme@kapott.org>

References:
- idea for access rules
  - From: Stefan Palme <palme@kapott.org>

Prev by Date: idea for access rules
Next by Date: Re: idea for access rules
Index(es):
- Chronological
- Thread