Hello,
I'd like to refine my permission set of my openldap installation. The tree structure is: dc=mydomain - cn=admin (ldap admin) - ou=domains (customer domains) - ou=example1.com - cn=user1 - cn=user2 - cn=postmaster - ou=example2.com - cn=user1 - cn=user2 - cn=postmaster
The user postmaster is able to change specific attributes of objects in its own "domain" (one level up).
The current ACLs are defined as:
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by anonymous auth by * none access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by anonymous auth by * none access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=sn,description,vacationActive,vacationInfo,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read access to * by dn.base="cn=admin,dc=mydomain" write by * read
ACL rule 4 allows the postmaster to add objects to it's "domain" without any restrictions. How can i restrict the object creation to specific object classes and attributes? Let's say postmaster should only be able to add objects like the following:
dn: cn=user3,ou=example2.com,ou=domains,dc=mydomain objectClass: CourierMailAccount objectClass: inetOrgPerson objectClass: top objectClass: Vacation cn: user3 homeDirectory: user3/example2.com/ mail: user.3@exampl2.com sn: User3 vacationActive: TRUE gidNumber: 5000 smtpRelayFlag: 1 uidNumber: 5000 userPassword:: <crypted password> vacationInfo:: <binary data>
I didn't find such an approach in Faq-O-Matic nor the manuals Thanks in advance for any advice