Hi all,
I am runing an openldap 2.4.7 on debian with small local schema
modifications: a few more attributes and an objectClass derived from
inetOrgPerson.
I have looked in the administrator's guide and the slapd.access manpage
but I can't figure out how to do the following: I want to give write
access depending on the value of an attribute.
an attribute in the target (the "what") or in the user (the "who")?
something like:
access to dn="cn=foo,ou=groups,dc=example,dc=com"
attrs=cn,description,memberUid,entry
by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
This syntax is not valid.
If I have read the manpage correctly, I can't do it with a
filter. Is
there any way to get this behavior ?
If access depends on values in the "what", use filter="<your
filter>" in
the "what" clause; if access depends on values in the "who", use sets;
in
your case, something like
access to dn="cn=foo,ou=groups,dc=example,dc=com"
attrs=cn,description,memberUid,entry
by
set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN
& user" write
should work (note: indentation has probably been destroyed by my mailer).
It is not clear for me if the "dynacl" I saw in the
manpage:
- can solve this problem
- are compulsory to solve it
Dynacl has nothing to do. In fact, dynacl is a mechanism that allows you
to code access checking yourself, and plug it in as a run-time loadable
object. So, by itself, it would allow a lot of freedom, provided you can
wirte the code that does what you mean.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------