hi,
I have the following structure:
cn=foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo cn=foobar1,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo cn=foobar2,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo
cn=foobar likes like:
dn: foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo objectClass: inetLocalMailRecipient objectClass: person objectClass: top cn: admin sn: admin description: added_by_dekanat mailLocalAddress: sysop@department.domain.foo mailRoutingAddress: foobar@department.domain.foo
At the moment I have one role "mail" that has access to:
dn.sub="ou=mail,ou=services,ou=department,dc=domain,dc=foo" read
it works as expected, the mailserver can read all entries.
Now I want to create a role, who has permissions to delete/add/modify all entries below ou=aliases, from all domains (dc=domain,ou=mail...), but only, if "description: <string>" is found (for delete/modify only, but not for add).
Is that possible?
Otherwise, how does it look, if I throw the idea with "only if" ?
cu denny
Am Thu, 6 Sep 2012 13:35:56 +0200 schrieb Denny Schierz linuxmail@4lin.net:
hi,
I have the following structure:
cn=foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo cn=foobar1,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo cn=foobar2,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo
cn=foobar likes like:
dn: foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo objectClass: inetLocalMailRecipient objectClass: person objectClass: top cn: admin sn: admin description: added_by_dekanat mailLocalAddress: sysop@department.domain.foo mailRoutingAddress: foobar@department.domain.foo
At the moment I have one role "mail" that has access to:
dn.sub="ou=mail,ou=services,ou=department,dc=domain,dc=foo" read
it works as expected, the mailserver can read all entries.
Now I want to create a role, who has permissions to delete/add/modify all entries below ou=aliases, from all domains (dc=domain,ou=mail...), but only, if "description: <string>" is found (for delete/modify only, but not for add).
Is that possible?
This can be achieved by sets http://www.openldap.org/faq/data/cache/1134.html http://www.openldap.org/faq/data/cache/1132.html http://www.openldap.org/faq/data/cache/1133.html
-Dieter
openldap-technical@openldap.org
-
Denny Schierz -
Dieter Klünter