--On Sunday, May 03, 2009 04:14:59 AM +0200 Wolfgang Lorenz wl-chmw@gmx.de wrote:
Hello,
I'm quite new to LDAP and at the moment I'm really just playing around, and trying to learn how to configure and use OpenLDAP correctly.
So I set up some kind of a small address directory, as could be used by my family to have a central place, where addresses can be stored, just to keep in contact. The setup looks like this:
# reading out data as authenticated user access to dn.children="ou=people,dc=example,dc=org" by self write by users read access to dn.base="ou=people,dc=example,dc=org" by users read access to dn.base="dc=example,dc=org" by users read
This seems to work, fine: I can log in, using my dn uid=wolfgang,ou=people,dc=example,dc=org and I can change my details, and view the details of the other uids.
Then I thought, it would be nice to be able, to create my own address books within my "self" contact. Such as ou=adrbook01,uid=wolfgang,ou=people,dc=example,dc=org and have in there contacts, that can only be shown by me. All other users should be able to do the same thing, of course. So I tried to create the new ou=adrbook01 entry and got a "no write access to entry". As I understand it, I may only add and change attributes, that lie within my binddn.
So, now my question is, how can I configure slapd to enable users, to build their own subtrees, without having to give a rule for every single uid, that lies within ou=people?
Thanks in advance, Wolfgang
In a past life I set up a directory before where users are allowed to add entries on level down from their own entry. This was to support an application that allowed users to save URLs. The URLs marked public where displayed with their directory listing and the URL's marked private were visible only by themselves. In any case, the ACLs required to support this look like:
access to filter=(&(objectclass=urlobject)(urlprivate=Y)) by self.level{-1} write by * none
access to filter=(&(objectclass=listobject)(!(urlprivate=Y))) by self.level{-1} write by * read
Bill