Re: Advanced ACL configuration?

["Daniel Tiefnig" <openldap@qmail.infonova.at>]

<stefan@alfredsson.org> wrote...
> I'm wondering if ACL's can be built by using information in the LDAP
> database itself?
>
> For example, if user X is authenticated and has an attribute
> (for example) canModify: uid=y, o=foobar
>
> then this user would have write access to the DN's listed?
>
> Maybe a better solution to define the relationships would be to use
> the tree structure instead?
> Then users can be given write access to the subtree?

access to dn=".*,uid=user1,..." by dn="uid=user1,.."

this'll give user1 acccess to all subentries. (but not to his own entry.)
but this is quite annoying, 'cause you've to restart slapd each time after
adding a user..
so, i'd prefer to use the data of the db to formulate the ACLs.

a similar discussion was in the mailing list some time ago:
<quote Howard Chu from Sat, 12 May 2001 19:57:41 -0700>
We have an "owner" object, which contains an "account" attribute, which
lists all of the accounts that are owned by the "owner." So, an ACL like:

  access to *
    by selfattr=account write

says to check if the entry of the current logged-in user contains an
"account" attribute, and the DN of the target object is listed there, then
give write access to the target.
</quote>

have a look at the list archive, (especially the above mentioned thread)
there were some discussions about advanced ACLs, and some of them were
pretty good.

daniel