[Date Prev][Date Next] [Chronological] [Thread] [Top]

Setting a whole subtree temporarily read-only based on an attribute?

To: openldap-technical@openldap.org
Subject: Setting a whole subtree temporarily read-only based on an attribute?
From: Peter Mogensen <apm@one.com>
Date: Wed, 31 Oct 2012 18:16:56 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0

Hi,

I've been reading the slapd.access back and forth a few times in searchfor a way to make an ACL, which defines read (and only read) access to awhole subtree in the DIT based on the value of an attribute of thesubtree root node.

I've found out how to do it for a named user by defining a groupattribute on the node like this:

olcAccess: {2}to dn.regex="^.+,o=([^,]+),dc=example,dc=com" bygroup/NamedObject/denied.expand="o=$1,dc=example,dc=com" read by * +0 break

But this only denies the named DNs write access. What I want to to denyeverybody write access to everything below the o=$1 RDN.

Conceptually I would also imagine, that this would belong in the <WHAT>clause of the ACL and not in the <WHO> clause, but I can't find anymechanism to do stuff like:


access to dn.<which-have-attr-set-to-readonly>.children by * read


What is the text-book way to do this?

regards,
Peter

Prev by Date: Re: Error : when create usermachine in LDAP
Next by Date: Re: Problem in sync-repling multiple databases
Index(es):
- Chronological
- Thread