Hello everyone!
Good, I have a scenario where two directors write on the same basis, eg
"cn=admin1,dc=domain,dc=com" and "cn=admin2,dc =domain,dc=com"
In a general scope, both have written permission from the base. However, assuming the user admin1 adds the entry: "uid=john,ou=people,dc=domain,dc=com", only the admin1 user can modify this entry, so each admin should only modify their own entries created in any part of the base.
Someone would have any idea how I could create an access control list for this
Thanks!
Luiz Marcelo 85marcelo@gmail.com writes:
Hello everyone!
Good, I have a scenario where two directors write on the same basis, eg
"cn=admin1,dc=domain,dc=com" and "cn=admin2,dc =domain,dc=com"
In a general scope, both have written permission from the base. However, assuming the user admin1 adds the entry: "uid=john,ou=people,dc=domain,dc=com", only the admin1 user can modify this entry, so each admin should only modify their own entries created in any part of the base.
Someone would have any idea how I could create an access control list for this
I can provide an idea, but not a working solution :-) You may create a set access rule that only allows write access to an entry if attribute value of creatorsName corresponds to present authenticated user. Unfortunately there is almost no information available on sets, but you may search the archiv of openldap-software mailinglist and http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1134.html
-Dieter
Am 10.07.2010 08:50, schrieb Dieter Kluenter:
Luiz Marcelo 85marcelo@gmail.com writes:
Hello everyone!
Good, I have a scenario where two directors write on the same basis, eg
"cn=admin1,dc=domain,dc=com" and "cn=admin2,dc =domain,dc=com"
In a general scope, both have written permission from the base. However, assuming the user admin1 adds the entry: "uid=john,ou=people,dc=domain,dc=com", only the admin1 user can modify this entry, so each admin should only modify their own entries created in any part of the base.
Someone would have any idea how I could create an access control list for this
I can provide an idea, but not a working solution :-) You may create a set access rule that only allows write access to an entry if attribute value of creatorsName corresponds to present authenticated user. Unfortunately there is almost no information available on sets, but you may search the archiv of openldap-software mailinglist and http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1134.html
-Dieter
Hi,
why use sets? He could just use a filter in <what>, like this:
access to filter="(creatorsName=cn=admin1,dc=domain,dc=com)" by dn="cn=admin1,dc=domain,dc=com" write by * read
access to filter="(creatorsName=cn=admin2,dc=domain,dc=com)" by dn="cn=admin2,dc=domain,dc=com" write by * read
Regards, Christian Manal
On 10/07/10 08:50, Dieter Kluenter wrote:
Luiz Marcelo 85marcelo@gmail.com writes:
Hello everyone!
Good, I have a scenario where two directors write on the same basis, eg
"cn=admin1,dc=domain,dc=com" and "cn=admin2,dc =domain,dc=com"
In a general scope, both have written permission from the base. However, assuming the user admin1 adds the entry: "uid=john,ou=people,dc=domain,dc=com", only the admin1 user can modify this entry, so each admin should only modify their own entries created in any part of the base.
Someone would have any idea how I could create an access control list for this
I can provide an idea, but not a working solution :-) You may create a set access rule that only allows write access to an entry if attribute value of creatorsName corresponds to present authenticated user. Unfortunately there is almost no information available on sets, but you may search the archiv of openldap-software mailinglist and http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1134.html
I thought this scenario would make a good example, but reading through these FAQ entries I see that this exact situation is already documented:
http://www.openldap.org/faq/data/cache/1140.html
Jonathan
openldap-technical@openldap.org
-
Christian Manal -
Dieter Kluenter -
Jonathan Clarke -
Luiz Marcelo