On Tuesday, 28 July 2009 10:31:21 Jens Thomas wrote:
Am 28.07.2009 um 01:04 schrieb Howard Chu:
Hi Howard,
>> A second problem, maybe you can give me a pointer: I would like to
>> assign the right to add, modify and delete an object to an attribute
>> inside the same object (and necessarily to the container object).
>> Maybe ACI and the corresponding overlay is what i need. Or can this
>> be
>> solved by using regex?
>
> I don't understand this question, give a more detailed example...
Ok, for example, i have two objects like that:
dn: ou=container,o=org,c=de
objectClass: top
objectClass: organizationalUtit
ou: container
and
dn: cn=person,ou=container,o=org,c=de
objectClass: top
objectClass: person
cn: person
sn: jackson
Now i would like to add some kind of acl to the cn=person (the
objectClass "acl" is not real, but it should demonstrate, what i need):
dn: cn=person,ou=container,o=org,c=de
objectClass: top
objectClass: person
objectClass: acl
cn: person
sn: jackson
aclAllowByDn: cn=user1,ou=users,o=org,c=de
So if the user "user1" binds successfully he has the permission to
modify the entry.
This can be accomplished with a dnattr= "who" statement, in your example, that
could be something like
access to "dn.subtree="ou=container,o=org,c=de" by
dnattr="aclAllowByDn" write
The "manager" attribute is sometimes used for this purpose.
When a new entry is createt or a entry is deletet, i
also need write access to the parent object in the tree, so i have to
expand the ou=container object too in some way to allow the operation.
I think dnattr may work there as well, assuming you choose a mutli-valued DN-
valued attribute for storing the authorized DNs.
It should be possible to assign the right to add, modify and delete
dynamically to an other ldap object, e.g. a user object.
Regards,
Buchan