[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multiple admins and access rights



Rick Fadler wrote:
> 
> "Kurt D. Zeilenga" wrote:
> >
> > At 12:26 PM 4/14/00 +0200, Kai Martius wrote:
> > >Hello,
> > >
> > >First, thanks to the developers for the great job done with OpenLDAP!
> > >
> > >Here's my question:
> > >Is it possible within the current access control model to have something
> > >like "shared administration", that is, I want to grant the right to
> > >create new entries with a specific set of attributes to Admin1. Admin2
> > >should be able to modify these entries by adding / modifying other
> > >attributes, but neither to modify the entries written by Admin1 nor to
> > >delete the entry itself. I tried it with the following access rules
> > >(that didn't work :-( ).
> > >
> > >Admin2 should have the right to add / modify a postaladdress, but
> > >nothing else. Admin1 therefore should be able to create the entry and
> > >write cn, ou, o and c attributes:
> > >
> > >defaultaccess   read
> > >access         to   * attrs=dn,cn,ou,o,c
> > >                     by dn="cn=Admin1,o=myorg,c=de"            write
> > >                     by *                                       read
> > >
> > >access          to * attr=postaladdress
> > >                     by dn="cn=Admin2,o=myorg,c=de"            write
> > >                    by *                                       read
> > >
> > >Did I miss something important here?
> >
> > Permission to write to the entry.
> >
> > access to * attrs=entry
> >         by dn="cn=Admin?,o=myorg,c=de" write
> >         by * read
> 
> I'm struggling with the same type of problem as Kai. I found using the
> following did not work in my environment:
> 
> access to *
>     by dn="uid=admin?,ou=People,o=regence" write
>     by self write
>     by * read
> 
> I tried the following with success.
> access to *
>     by dn="uid=admin[0-9],ou=People,o=regence" write
>     by self write
>     by * read
> 
> Does anyone have any suggestions as to why the "?" fails? Both "admin?"
> and "admin[0-9]" appear to be valid regular expressions.
> 
> --
> Rick Fadler
> rfadler@keystroke.com
> 206-576-4579

For further clarification, I also tried the following with success.
access to *
    by dn="uid=admin.*,ou=People,o=regence" write
    by self write
    by * read

access to *
    by dn="uid=admin.,ou=People,o=regence" write
    by self write
    by * read

-- 
Rick Fadler
rfadler@keystroke.com
206-576-4579