[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Setting a whole subtree temporarily read-only based on an attribute?
- To: openldap-technical@openldap.org
- Subject: Setting a whole subtree temporarily read-only based on an attribute?
- From: Peter Mogensen <apm@one.com>
- Date: Wed, 31 Oct 2012 18:16:56 +0100
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0
Hi,
I've been reading the slapd.access back and forth a few times in search
for a way to make an ACL, which defines read (and only read) access to a
whole subtree in the DIT based on the value of an attribute of the
subtree root node.
I've found out how to do it for a named user by defining a group
attribute on the node like this:
olcAccess: {2}to dn.regex="^.+,o=([^,]+),dc=example,dc=com" by
group/NamedObject/denied.expand="o=$1,dc=example,dc=com" read by * +0 break
But this only denies the named DNs write access. What I want to to deny
everybody write access to everything below the o=$1 RDN.
Conceptually I would also imagine, that this would belong in the <WHAT>
clause of the ACL and not in the <WHO> clause, but I can't find any
mechanism to do stuff like:
access to dn.<which-have-attr-set-to-readonly>.children by * read
What is the text-book way to do this?
regards,
Peter