[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multiple admins and access rights

To: Kai Martius <kai@secunet.de>
Subject: Re: multiple admins and access rights
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 18 Apr 2000 09:44:59 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <38F6F238.C64F2122@secunet.de>

At 12:26 PM 4/14/00 +0200, Kai Martius wrote:
>Hello,
>
>First, thanks to the developers for the great job done with OpenLDAP!
>
>Here's my question:
>Is it possible within the current access control model to have something
>like "shared administration", that is, I want to grant the right to
>create new entries with a specific set of attributes to Admin1. Admin2
>should be able to modify these entries by adding / modifying other
>attributes, but neither to modify the entries written by Admin1 nor to
>delete the entry itself. I tried it with the following access rules
>(that didn't work :-( ). 
>
>Admin2 should have the right to add / modify a postaladdress, but
>nothing else. Admin1 therefore should be able to create the entry and
>write cn, ou, o and c attributes:
>
>defaultaccess   read
>access  	to   * attrs=dn,cn,ou,o,c
>                     by dn="cn=Admin1,o=myorg,c=de"		write
>                     by *                                       read   
>
>access          to * attr=postaladdress
>                     by dn="cn=Admin2,o=myorg,c=de"		write
>        	     by *                                       read
>
>Did I miss something important here?

Permission to write to the entry.

access to * attrs=entry
	by dn="cn=Admin?,o=myorg,c=de" write
	by * read

Follow-Ups:
- Re: multiple admins and access rights
  - From: Rick Fadler <rfadler@keystrokenet.com>

References:
- multiple admins and access rights
  - From: Kai Martius <kai@secunet.de>

Prev by Date: Re: acl's being ignored?
Next by Date: Re: rekursive delete
Index(es):
- Chronological
- Thread