Hi all,
I am runing an openldap 2.4.7 on debian with small local schema modifications: a few more attributes and an objectClass derived from inetOrgPerson.
I have looked in the administrator's guide and the slapd.access manpage but I can't figure out how to do the following: I want to give write access depending on the value of an attribute.
an attribute in the target (the "what") or in the user (the "who")?
something like: access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
This syntax is not valid.
If I have read the manpage correctly, I can't do it with a filter. Is there any way to get this behavior ?
If access depends on values in the "what", use filter="<your filter>" in the "what" clause; if access depends on values in the "who", use sets; in your case, something like
access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN & user" write
should work (note: indentation has probably been destroyed by my mailer).
It is not clear for me if the "dynacl" I saw in the manpage:
- can solve this problem
- are compulsory to solve it
Dynacl has nothing to do. In fact, dynacl is a mechanism that allows you to code access checking yourself, and plug it in as a run-time loadable object. So, by itself, it would allow a lot of freedom, provided you can wirte the code that does what you mean.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------