Am Tue, 5 Aug 2014 09:41:36 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
Hello,
I'd like to refine my permission set of my openldap installation. The tree structure is: dc=mydomain
- cn=admin (ldap admin)
- ou=domains (customer domains)
- ou=example1.com
- cn=user1
- cn=user2
- cn=postmaster
- ou=example2.com
- cn=user1
- cn=user2
- cn=postmaster
The user postmaster is able to change specific attributes of objects in its own "domain" (one level up).
The current ACLs are defined as:
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by anonymous auth by * none access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by anonymous auth by * none access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=sn,description,vacationActive,vacationInfo,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
- read access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" by
dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
- read access to * by dn.base="cn=admin,dc=mydomain" write by * read
ACL rule 4 allows the postmaster to add objects to it's "domain" without any restrictions. How can i restrict the object creation to specific object classes and attributes? Let's say postmaster should only be able to add objects like the following:
[...] man slapd.access(5), the <WHAT> field: @<objectClass>
-Dieter