----- "fathi engineer" fathi.engineer@gnet.tn wrote:
Hi,
In the proccess of setting up an openldap server as a pgp key server, I want to grant access to every authenticated user to create a new entry in a subtree of the basedn and every body to read entries in that subtree but only creator to be able to modify his entries.
I tried with the following (unsuccessfully):
access to dn.children="ou=PGP Keys,o=SNCFT,c=TN" by dn.regex="^uid=([^,]+),(ou=[^,]+,)+ou=Users,o=SNCFT,c=TN$" selfwrite by dn.regex="^uid=([^,]+),ou=Users,o=SNCFT,c=TN$" write by * read
and also by dnattr=owner selfwrite by users write by * read
but none worked.
I am running openldap-2.3.27-8.el5_2.4
Did you read slapd.access(5)? Did you read the requirements for the add and modify operations? You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification. And "owner" is a specific attribute of some objectClasses; unless you're creating those objects with the correct "owner" value, the creator will not be able to write them. You should use
by dnattr=creatorsName write
The "self" is not needed; it refers to a user writing to a target corresponding to its own name, or to an attribute whose value consists in its own name.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------