[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Assigning user access to parts of tree
> How does one go about assigning varying access and password control to
> different parts of the tree to various users? I.e. userA can read and
> write "dn:ou=virtualDomain,dc=abcd,dc=com" while userB can read/write
> "dn:ou=virtualHost,dc=abcd,dc=com" but only read userA's DN.
You can do it in two ways:
- you can create a instance of objectClass groupOfNames in under
"ou=virtualDomain,dc=abcd,dc=com" called
"cn=RWusers,ou=virtualDomain,dc=abcd,dc=com" (or some other name...)
with a value of attribute member set to userA,...; similary, in branch
"ou=virtualHost,dc=abcd,dc=com" you put a groupOfNames
"cn=RWusers,ou=virtualHost,dc=abcd,dc=com" with member: userB,... and
a groupOfNames "cn=ROusers,ou=virtualHost,dc=abcd,dc=com" with
member: userA,...
In ACL you put a line like
access to dn="(.*),ou=(.*),dc=abcd,dc=com"
by self write
by group="cn=RWusers,$2,dc=abcd,dc=com" write
by group="cn=ROusers,$2,dc=abcd,dc=com" read
In this way, every DN specified as member of a groupOfNames called
RWusers under a subtree X can read/write under the some subtree and every
DN specified as member of a groupOfNames called ROusers under a subtree
X can read under the subtree.
- in a less general way, if userA is ever under subtree
ou=virtualDomain,dc=abcd,dc=com (e.g every entry can read/write in its
subtree and only read in other subtree) you can use a regular expression like
access to dn="(.*),ou=(.*),dc=abcd,dc=com"
by self write
by dn=".*,$2,dc=abcd,dc=com" write
by dn=".*,.*,dc=abcd,dc=com" read
--------------------------------------------------------
Marco Ferrante (ferrante@unige.it)
CSITA (Centro Servizi Informatici e Telematici d'Ateneo)
Università degli Studi di Genova - Italy
Viale Brigata Salerno - 16147 Genova
tel (+39) 0103532621 (interno tel. 2621)
--------------------------------------------------------