[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Advanced ACL configuration?

To: Daniel Tiefnig <daniel.tiefnig@infonova.at>
Subject: Re: Advanced ACL configuration?
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Fri, 06 Jul 2001 15:13:44 +0200
Cc: openldap-software@OpenLDAP.org
Organization: Dipartimento di Ingegneria Aerospaziale
References: <20010704083912.A12639@sa-pc.cs.kau.se> <9hufck$6f6$1@qmail.infonova.at>

Daniel Tiefnig wrote:

>   access to *
>     by selfattr=account write

There's no "selfattr" acl subject to my knowledge.
Maybe the "dnattr" attribute was addressed. It should
be set to the the attribute type that contains the "dn"
of who's allowed to modify an entry. So the modifier's
identity can be listed in the entry itself; e.g., given
the group

dn: cn=Your Group,ou=Groups,dc=your,dc=org
objectClass: top
objectClass: groupOfNames
owner: cn=Your Group Owner,ou=People,dc=your,dc=org
member: cn=Yourself,ou=People,dc=your,dc=org

access to its members can be:

access to dn="cn=Your Group,ou=Groups,dc=your,dc=org"
        attrs=member
    by dnattr=member selfwrite
    by dnattr=owner write
    by * none

so that the owner of the group can add/modify/delete
anybody from the group, while a member can only
add/remove him/herself

Pierangelo.

--
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   | http://www.aero.polimi.it/~masarati

References:
- Advanced ACL configuration?
  - From: stefan@alfredsson.org
- Re: Advanced ACL configuration?
  - From: "Daniel Tiefnig" <openldap@qmail.infonova.at>

Prev by Date: Re: I'm puzzled (problem with ACLs)
Next by Date: Re: PAM/LDAP performance problem
Index(es):
- Chronological
- Thread