[Date Prev][Date Next] [Chronological] [Thread] [Top]

Give user only access to a few entries that he "owns"



Hi all,

I'm not very experienced with ldap. I've been looking into the access controls documentation but I'm unsure on what the proper way to handle this is.

So let me expain what I want to accomplish: a user entry (posixAccount, password, givenName, ...) can update his own password by using the "self" keyword. All good there. But a user has some assets he owns. For example a host (in Common tree).

I want the user to be able to update one attribute of this host.
"self" keyword doesn't work here as the user doesn't bind to it.
So I added an owner attribute to the host and with that attribute I reference to the user.

Now I need some kind of "glue" to verify that the user is allowed to write to the attribute.

Do I need a filter? Wouldn't this just filter out a specific attribute? Or will it only filter entries based on the filter match?

In the latter case (which seems like a logical way for openldap to handle this) I would need:
- attr: to select what attribute the user access is modified
- filter: to only apply on the user his host
- by: variable definition for this clause to only apply on the binded user

I've read about dnattr but I'm unsure this is accomplishes what I want.

Could anyone share an example?

Thanks