[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access control for multiple admins
Am 10.07.2010 08:50, schrieb Dieter Kluenter:
> Luiz Marcelo <85marcelo@gmail.com> writes:
>
>> Hello everyone!
>>
>> Good, I have a scenario where two directors write on the same basis, eg
>>
>> "cn=admin1,dc=domain,dc=com" and
>> "cn=admin2,dc =domain,dc=com"
>>
>> In a general scope, both have written permission from the base. However,
>> assuming the user admin1 adds the entry:
>> "uid=john,ou=people,dc=domain,dc=com", only the admin1 user can modify
>> this entry, so each admin should only modify their own entries created
>> in any part of the base.
>>
>> Someone would have any idea how I could create an access control list
>> for this
>
> I can provide an idea, but not a working solution :-)
> You may create a set access rule that only allows write access to an
> entry if attribute value of creatorsName corresponds to present
> authenticated user.
> Unfortunately there is almost no information available on sets, but
> you may search the archiv of openldap-software mailinglist and
> http://www.openldap.org/faq/data/cache/1133.html
> http://www.openldap.org/faq/data/cache/1134.html
>
> -Dieter
>
>
Hi,
why use sets? He could just use a filter in <what>, like this:
access to filter="(creatorsName=cn=admin1,dc=domain,dc=com)"
by dn="cn=admin1,dc=domain,dc=com" write
by * read
access to filter="(creatorsName=cn=admin2,dc=domain,dc=com)"
by dn="cn=admin2,dc=domain,dc=com" write
by * read
Regards,
Christian Manal