On 10/07/10 08:50, Dieter Kluenter wrote:
Luiz Marcelo 85marcelo@gmail.com writes:
Hello everyone!
Good, I have a scenario where two directors write on the same basis, eg
"cn=admin1,dc=domain,dc=com" and "cn=admin2,dc =domain,dc=com"
In a general scope, both have written permission from the base. However, assuming the user admin1 adds the entry: "uid=john,ou=people,dc=domain,dc=com", only the admin1 user can modify this entry, so each admin should only modify their own entries created in any part of the base.
Someone would have any idea how I could create an access control list for this
I can provide an idea, but not a working solution :-) You may create a set access rule that only allows write access to an entry if attribute value of creatorsName corresponds to present authenticated user. Unfortunately there is almost no information available on sets, but you may search the archiv of openldap-software mailinglist and http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1134.html
I thought this scenario would make a good example, but reading through these FAQ entries I see that this exact situation is already documented:
http://www.openldap.org/faq/data/cache/1140.html
Jonathan