Hi all,
I'm not very experienced with ldap. I've been looking into the access controls documentation but I'm unsure on what the proper way to handle this is.
So let me expain what I want to accomplish: a user entry (posixAccount, password, givenName, ...) can update his own password by using the "self" keyword. All good there. But a user has some assets he owns. For example a host (in Common tree).
I want the user to be able to update one attribute of this host. "self" keyword doesn't work here as the user doesn't bind to it. So I added an owner attribute to the host and with that attribute I reference to the user.
Now I need some kind of "glue" to verify that the user is allowed to write to the attribute.
Do I need a filter? Wouldn't this just filter out a specific attribute? Or will it only filter entries based on the filter match?
In the latter case (which seems like a logical way for openldap to handle this) I would need: - attr: to select what attribute the user access is modified - filter: to only apply on the user his host - by: variable definition for this clause to only apply on the binded user
I've read about dnattr but I'm unsure this is accomplishes what I want.
Could anyone share an example?
Thanks
PenguinWhispererThe . wrote:
I want the user to be able to update one attribute of this host. "self" keyword doesn't work here as the user doesn't bind to it. [..] Could anyone share an example?
The FAQ-O-MATIC has many very useful examples.
Start here: http://www.openldap.org/faq/data/cache/189.html
Ciao, Michael.
Hi Michael.
Thanks for the link. I've looked in the examples. Should expand be used to accomplish this then?
Note that the host is in an other tree. And the attribute that should be editable by the user is at the same level (sibling) as the owner (so the user that should be able to edit it).
Thanks in advance. On Jun 21, 2016 7:59 AM, "Michael Ströder" michael@stroeder.com wrote:
PenguinWhispererThe . wrote:
I want the user to be able to update one attribute of this host. "self" keyword doesn't work here as the user doesn't bind to it. [..] Could anyone share an example?
The FAQ-O-MATIC has many very useful examples.
Start here: http://www.openldap.org/faq/data/cache/189.html
Ciao, Michael.
PenguinWhispererThe . wrote:
Thanks for the link. I've looked in the examples. Should expand be used to accomplish this then?
Note that the host is in an other tree. And the attribute that should be editable by the user is at the same level (sibling) as the owner (so the user that should be able to edit it).
That's all possible and you should find similar examples in the FAQ. But crafting your ACLs is your homework. And yes, it takes some time to get familiar with this.
Ciao, Michael.
On Jun 21, 2016 7:59 AM, "Michael Ströder" michael@stroeder.com wrote:
PenguinWhispererThe . wrote:
I want the user to be able to update one attribute of this host. "self" keyword doesn't work here as the user doesn't bind to it. [..] Could anyone share an example?
The FAQ-O-MATIC has many very useful examples.
Start here: http://www.openldap.org/faq/data/cache/189.html
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
PenguinWhispererThe .