[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for object creation in subtree with specific attributes and object classes
Am Tue, 5 Aug 2014 09:41:36 +0200
schrieb Simeon Ott <simeon.ott@onnet.ch>:
> Hello,
>
> I'd like to refine my permission set of my openldap installation.
> The tree structure is:
> dc=mydomain
> - cn=admin (ldap admin)
> - ou=domains (customer domains)
> - ou=example1.com
> - cn=user1
> - cn=user2
> - cn=postmaster
> - ou=example2.com
> - cn=user1
> - cn=user2
> - cn=postmaster
>
> The user postmaster is able to change specific attributes of objects
> in its own "domain" (one level up).
>
> The current ACLs are defined as:
>
> access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$"
> attrs=userPassword by dn.base="cn=admin,dc=mydomain" write
> by self write
> by
> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
> anonymous auth by * none
> access to attrs=userPassword
> by dn.base="cn=admin,dc=mydomain" write
> by self write
> by anonymous auth
> by * none
> access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$"
> attrs=sn,description,vacationActive,vacationInfo,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
> by self write by
> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
> * read access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$"
> by
> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
> * read access to *
> by dn.base="cn=admin,dc=mydomain" write
> by * read
>
> ACL rule 4 allows the postmaster to add objects to it's "domain"
> without any restrictions. How can i restrict the object creation to
> specific object classes and attributes? Let's say postmaster should
> only be able to add objects like the following:
[...]
man slapd.access(5), the <WHAT> field: @<objectClass>
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E