1:41 p.m.
Can anyone help how I should make the acls that allows users[2] access
attributes of ldap entries[1] that have themselves listed in the
attribute value sendmailMTAMapValue
Something like:
Access to children? ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
filter=(sendmailMTAMapValue=VAR1) attrs=sendmailMTAKey
by uid=VAR1,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local read
[1]
dn:
sendmailMTAKey=test(a)example.com,ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,
dc=local
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
objectClass: ritAdditionalInfo
sendmailMTAMapName: virtuser
sendmailMTACluster: mail
sendmailMTAKey: test(a)example.com
sendmailMTAMapValue: testuser
[2]
uid=testuser,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
1:10 a.m.
New subject: acl help access to 'own' attributes (paid support)
Paid support is also welcome.
-----Original Message-----
To: openldap-technical
Subject: acl help access to 'own' attributes
Can anyone help how I should make the acls that allows users[2] access
attributes of ldap entries[1] that have themselves listed in the
attribute value sendmailMTAMapValue
Something like:
Access to children? ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
filter=(sendmailMTAMapValue=VAR1) attrs=sendmailMTAKey
by uid=VAR1,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local read
[1]
dn:
sendmailMTAKey=test(a)example.com,ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,
dc=local
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
objectClass: ritAdditionalInfo
sendmailMTAMapName: virtuser
sendmailMTACluster: mail
sendmailMTAKey: test(a)example.com
sendmailMTAMapValue: testuser
[2]
uid=testuser,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
5:17 a.m.
It depends on how many user you have, were are the user-objects are
located in your tree, there are not enough information to solve your
problem. If the users are spread over the hole tree you need some kind
of regex-ACLs
Am 27.11.19 um 22:41 schrieb Marc Roos:
Can anyone help how I should make the acls that allows users[2]
access
attributes of ldap entries[1] that have themselves listed in the
attribute value sendmailMTAMapValue
Something like:
Access to children? ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
filter=(sendmailMTAMapValue=VAR1) attrs=sendmailMTAKey
by uid=VAR1,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local read
[1]
dn:
sendmailMTAKey=test(a)example.com,ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,
dc=local
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
objectClass: ritAdditionalInfo
sendmailMTAMapName: virtuser
sendmailMTACluster: mail
sendmailMTAKey: test(a)example.com
sendmailMTAMapValue: testuser
[2]
uid=testuser,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre Privatsphäre. Ein
kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html
2:52 p.m.
It depends on how many user you have,
Why?
were are the user-objects are located in your tree,
At [2]
If the users are spread over the hole tree you need some kind of
regex-ACLs
No just [2]
Is it not possible to focus on this example, I think I can manage from
there.
-----Original Message-----
To: openldap-technical(a)openldap.org
Subject: Re: acl help access to 'own' attributes
It depends on how many user you have, were are the user-objects are
located in your tree, there are not enough information to solve your
problem. If the users are spread over the hole tree you need some kind
of regex-ACLs
Am 27.11.19 um 22:41 schrieb Marc Roos:
Can anyone help how I should make the acls that allows users[2]
access
attributes of ldap entries[1] that have themselves listed in the
attribute value sendmailMTAMapValue
Something like:
Access to children? ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
filter=(sendmailMTAMapValue=VAR1) attrs=sendmailMTAKey
by uid=VAR1,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local read
[1]
dn:
sendmailMTAKey=test(a)example.com,ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaa
a,
dc=local
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
objectClass: ritAdditionalInfo
sendmailMTAMapName: virtuser
sendmailMTACluster: mail
sendmailMTAKey: test(a)example.com
sendmailMTAMapValue: testuser
[2]
uid=testuser,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
4:03 p.m.
--On Thursday, November 28, 2019 11:52 PM +0100 Marc Roos
<M.Roos(a)f1-outsourcing.eu> wrote:
> It depends on how many user you have,
Why?
> were are the user-objects are located in your tree,
At [2]
> If the users are spread over the hole tree you need some kind of
regex-ACLs
No just [2]
Is it not possible to focus on this example, I think I can manage from
there.
You might want to look at sets.
<https://www.openldap.org/faq/data/cache/1133.html>
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
12:33 a.m.
What I still don't understand do you want only write access to a single
Attribute or to the whole object
(1)
access to dn.children=[1]
by self write
by * none
or (2)
access to attr <attr-name>
by self write
by * none
This (1) will give permission to all Users located in [1] write access
to their own object. (2) will give access only to a list (comma
separated) of attributes. But be aware that you have to look at which
position you put the new ACL in your ACL-List
Am 27.11.19 um 22:41 schrieb Marc Roos:
Can anyone help how I should make the acls that allows users[2]
access
attributes of ldap entries[1] that have themselves listed in the
attribute value sendmailMTAMapValue
Something like:
Access to children? ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
filter=(sendmailMTAMapValue=VAR1) attrs=sendmailMTAKey
by uid=VAR1,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local read
[1]
dn:
sendmailMTAKey=test(a)example.com,ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,
dc=local
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
objectClass: ritAdditionalInfo
sendmailMTAMapName: virtuser
sendmailMTACluster: mail
sendmailMTAKey: test(a)example.com
sendmailMTAMapValue: testuser
[2]
uid=testuser,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre Privatsphäre. Ein
kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html
11:33 a.m.
Read to the attribute is fine. I tried to explain a bit in 'pseudo' code
Access to children(?)
ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
filter=(sendmailMTAMapValue=VAR1) attrs=sendmailMTAKey
by uid=VAR1,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local read
-----Original Message-----
To: openldap-technical(a)openldap.org
Subject: Re: acl help access to 'own' attributes
What I still don't understand do you want only write access to a single
Attribute or to the whole object
(1)
access to dn.children=[1]
by self write
by * none
or (2)
access to attr <attr-name>
by self write
by * none
This (1) will give permission to all Users located in [1] write access
to their own object. (2) will give access only to a list (comma
separated) of attributes. But be aware that you have to look at which
position you put the new ACL in your ACL-List
Am 27.11.19 um 22:41 schrieb Marc Roos:
Can anyone help how I should make the acls that allows users[2]
access
attributes of ldap entries[1] that have themselves listed in the
attribute value sendmailMTAMapValue
Something like:
Access to children? ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
filter=(sendmailMTAMapValue=VAR1) attrs=sendmailMTAKey
by uid=VAR1,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local read
[1]
dn:
sendmailMTAKey=test(a)example.com,ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaa
a,
dc=local
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
objectClass: ritAdditionalInfo
sendmailMTAMapName: virtuser
sendmailMTACluster: mail
sendmailMTAKey: test(a)example.com
sendmailMTAMapValue: testuser
[2]
uid=testuser,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
1212
days inactive
1215
days old
openldap-technical@openldap.org
6 comments
3 participants
participants (3)
-
Marc Roos -
Quanah Gibson-Mount -
Stefan Kania