So basically I can do:

to * by cn=admin,dc=company,dc=com add by cn=faraz,dc=company,dc=com zap

That is indeed not documented anywhere. Will start an ITS

Pierangelo Masarati wrote:

Faraz R. Khan wrote:

...

Is it possible to have fine grained ACLs in OpenLDAP? My problem is that the 'write' access is too broad. I wish to be able to control ADD, modify and delete separately. I tried looking at aacls.sourceforge.net but it involves the setup of a separate server and looks abandoned.

Any pointers would be appreciated- maybe the denyop module? I was trying to find some docs but all I could find was a FAQ entry.

OpenLDAP 2.4 allows to split the write privilege into "a" (add) and "z" (zap). A separate privilege for "modify" does not make too much sense to me: if a value is added, then one just needs "add"; if a (set of) value(s) is replaced, then one needs both "zap" (to delete old values) and "add" (to add new ones), and thus "write" is just fine. On a related note, I just realized this is not documented anywhere but in the mailing list. I suggest you file an ITS http://ww.openldap.org/its/ to request a documentation update.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it

---

Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando@sys-net.it

---