[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 and ACL

To: <h.b.furuseth@usit.uio.no>
Subject: Re: OpenLDAP 2.1 and ACL
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 21 Jan 2003 15:16:50 +0100 (CET)
Cc: <emmanuel.blot@free.fr>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <HBF.20030121c88n@bombur.uio.no>
References: <016801c2ba8c$5f5cf2f0$0f06a8c0@oulx> <HBF.20030113kanr@bombur.uio.no> <013f01c2bfe5$fa31f830$0f06a8c0@oulx> <HBF.20030121c88n@bombur.uio.no>

> Emmanuel Blot writes:
>> I'd like to give different access rights depending on the 'gid' value.
>>
>> gid>=10, user can write maildrop and cn
>> gid>=2, user can write maildrop, but can only read cn
>>
>> What kind of ACL rules can I use to implement this kind of control ?
>> Is there some rules for <who> that will be something like "by filter =
>> (group>=8)" ... ??
>
> I don't see how.  Both filter= and attrs= are in the <what> part of
> ACLs, and I don't think <what> can have several components.
> I think you'll have to use ACIs.

By using "break" one can have ACL checking continues to other
access statements; if you can write several <what> parts that
end up in what you need, then it's done (but it's still a
nightmare...)

Ando

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- OpenLDAP 2.1 and filters
  - From: "Emmanuel Blot" <emmanuel.blot@free.fr>
- Re: OpenLDAP 2.1 and filters
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: OpenLDAP 2.1 and ACL
  - From: "Emmanuel Blot" <emmanuel.blot@free.fr>
- Re: OpenLDAP 2.1 and ACL
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: OpenLDAP 2.1 and ACL
Next by Date: Re: unable to install openldap 2.1
Index(es):
- Chronological
- Thread