--On Thursday, April 30, 2009 11:44 AM +0200 Florian Götz f.goetz@hs-mannheim.de wrote:
A warm "Hello" from germany to the openldap-technical list!
I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server. I need to write an ACL which allows a user to see his own entry (objectClass build up on inetOrgPerson) and nothing else. I know that this isn´t the intended use of the LDAP system, but our manager wants it that way.
Have you looked at the "self" keyword?
The keyword self means access to an entry is allowed to the entry itself (e.g. the entry being accessed and the requesting entry must be the same). It allows the level{<n>} style, where _n_ indicates what ancestor of the DN is to be used in matches. A positive value indi- cates that the <n>-th ancestor of the user's DN is to be considered; a negative value indicates that the <n>-th ancestor of the target is to be considered. For example, a "by self.level{1} ..." clause would match when the object "dc=example,dc=com" is accessed by "cn=User,dc=example,dc=com". A "by self.level{-1} ..." clause would match when the same user accesses the object "ou=Address Book,cn=User,dc=example,dc=com".
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration