So basically I can do:
to * by cn=admin,dc=company,dc=com add by cn=faraz,dc=company,dc=com zap
That is indeed not documented anywhere. Will start an ITS
Pierangelo Masarati wrote:
Faraz R. Khan wrote:
Is it possible to have fine grained ACLs in OpenLDAP? My problem is that the 'write' access is too broad. I wish to be able to control ADD, modify and delete separately. I tried looking at aacls.sourceforge.net but it involves the setup of a separate server and looks abandoned.
Any pointers would be appreciated- maybe the denyop module? I was trying to find some docs but all I could find was a FAQ entry.
OpenLDAP 2.4 allows to split the write privilege into "a" (add) and "z" (zap). A separate privilege for "modify" does not make too much sense to me: if a value is added, then one just needs "add"; if a (set of) value(s) is replaced, then one needs both "zap" (to delete old values) and "add" (to add new ones), and thus "write" is just fine. On a related note, I just realized this is not documented anywhere but in the mailing list. I suggest you file an ITS http://ww.openldap.org/its/ to request a documentation update.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando@sys-net.it