On Tuesday, 28 July 2009 10:31:21 Jens Thomas wrote:
Am 28.07.2009 um 01:04 schrieb Howard Chu:
Hi Howard,
A second problem, maybe you can give me a pointer: I would like to assign the right to add, modify and delete an object to an attribute inside the same object (and necessarily to the container object). Maybe ACI and the corresponding overlay is what i need. Or can this be solved by using regex?
I don't understand this question, give a more detailed example...
Ok, for example, i have two objects like that:
dn: ou=container,o=org,c=de objectClass: top objectClass: organizationalUtit ou: container
and
dn: cn=person,ou=container,o=org,c=de objectClass: top objectClass: person cn: person sn: jackson
Now i would like to add some kind of acl to the cn=person (the objectClass "acl" is not real, but it should demonstrate, what i need):
dn: cn=person,ou=container,o=org,c=de objectClass: top objectClass: person objectClass: acl cn: person sn: jackson aclAllowByDn: cn=user1,ou=users,o=org,c=de
So if the user "user1" binds successfully he has the permission to modify the entry.
This can be accomplished with a dnattr= "who" statement, in your example, that could be something like
access to "dn.subtree="ou=container,o=org,c=de" by dnattr="aclAllowByDn" write
The "manager" attribute is sometimes used for this purpose.
When a new entry is createt or a entry is deletet, i also need write access to the parent object in the tree, so i have to expand the ou=container object too in some way to allow the operation.
I think dnattr may work there as well, assuming you choose a mutli-valued DN- valued attribute for storing the authorized DNs.
It should be possible to assign the right to add, modify and delete dynamically to an other ldap object, e.g. a user object.
Regards, Buchan