[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "dynamic" acls

To: openldap-software@OpenLDAP.org
Subject: Re: "dynamic" acls
From: John Ziniti <jziniti@speakeasy.org>
Date: Thu, 22 Jan 2004 12:36:09 -0500
In-reply-to: <20040121234349.6d4dc6d9@earth.bx>
References: <20040121203348.373e97ac@earth.bx> <597790557.1074686794@cadabra.stanford.edu> <400EF3FD.40103@speakeasy.org> <20040121234349.6d4dc6d9@earth.bx>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031222

Alexander Blüm wrote:

would you have to use the groupOfNames?


I use groupOfUniqueNames, but I think groupOfNames will work fine.

could you show an example?


This is an example of one of our "dynamic" rules.  You mentioned
that you would like to *suppress* access using certain rules, whereas
I generally *allow* access.  It should be pretty similar, though,
except the order of things might need to change (watch the spacing
below!!):


## Branch Managers can write within their own branch
access to dn="ou=(.*),dc=xxxxx,dc=edu"
    by
group/groupOfUniqueNames/uniqueMember="gn=Manager,ou=$1,dc=xxxxx,dc=edu"
    write
    by self write
    by * read
    by anonymous auth

This allows anyone in the group "gn=Manager" under any given ou to
edit any records within that ou.  (Also note that the "gn" thing is
a stupid mistake which is not strictly allowed :-/)

You should be able to come up with something that has the correct
behavior and the right "dynamicness".

HTH,
JZ

References:
- "dynamic" acls
  - From: Alexander Blüm <mailinglists1@gmx.de>
- Re: "dynamic" acls
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: "dynamic" acls
  - From: John Ziniti <jziniti@speakeasy.org>
- Re: "dynamic" acls
  - From: Alexander Blüm <mailinglists1@gmx.de>

Prev by Date: Start TLS extended request
Next by Date: Re: Browse LDAP directory from Mozilla or Outlook
Index(es):
- Chronological
- Thread