Hello all OpenLDAP users,
I'm quite new to LDAP and I need to modify a currently existing LDAP database. There exist users in the database which can authentify, and I would like to add a specific parameter on some of those users to enable write access to them (for the moment they only have read access) For example I currently have 2 users:
uid=user1,ou=Users,dc=myCompany,dc=fr uid=user2,ou=Users,dc=myCompany,dc=fr
I changed my schema in order to be able to define an attribute admin="TRUE" on user1. Now, I would like that only user1 could change anything in the database, and not user2. How would I do that ? Is it possible to define an ACL based on the attribute of a DN ?
Thanks
Francois MAROT
"Francois Marot" francois.marot@gmail.com writes:
Hello all OpenLDAP users,
I'm quite new to LDAP and I need to modify a currently existing LDAP database. There exist users in the database which can authentify, and I would like to add a specific parameter on some of those users to enable write access to them (for the moment they only have read access) For example I currently have 2 users:
uid=user1,ou=Users,dc=myCompany,dc=fr uid=user2,ou=Users,dc=myCompany,dc=fr
I changed my schema in order to be able to define an attribute admin="TRUE" on user1. Now, I would like that only user1 could change anything in the database, and not user2. How would I do that ? Is it possible to define an ACL based on the attribute of a DN ?
http://www.openldap.org/lists/openldap-software/200807/msg00085.html http://www.openldap.org/lists/openldap-software/200807/msg00091.html
-Dieter
thaks Dieter,
your links lead me to the following in my slapd.conf:
access to * by set="user/admin & [TRUE]" write by self write by * read by anonymous read
I must add that user/admin & [TRUE] represents the currently logged in user and its "admin" attribute that must be set to TRUE. It wasn't clear that "user" represents the currently logged in user: I thought it was the name of the parent node or something like this... LDAP concept is still quite not clear for me !
Again, thanks Dieter
Francois MAROT
On Tue, Jul 15, 2008 at 10:17 AM, Francois Marot francois.marot@gmail.com wrote:
Hello all OpenLDAP users,
I'm quite new to LDAP and I need to modify a currently existing LDAP database. There exist users in the database which can authentify, and I would like to add a specific parameter on some of those users to enable write access to them (for the moment they only have read access) For example I currently have 2 users:
uid=user1,ou=Users,dc=myCompany,dc=fr uid=user2,ou=Users,dc=myCompany,dc=fr
I changed my schema in order to be able to define an attribute admin="TRUE" on user1. Now, I would like that only user1 could change anything in the database, and not user2. How would I do that ? Is it possible to define an ACL based on the attribute of a DN ?
Thanks
Francois MAROT
openldap-software@openldap.org
-
Dieter Kluenter -
Francois Marot