[Date Prev][Date Next] [Chronological] [Thread] [Top]

Write access for users to their children

To: openldap-software@OpenLDAP.org
Subject: Write access for users to their children
From: Tony Lembke <tony@lemlink.com.au>
Date: Tue, 4 Jan 2005 08:23:04 +1100

I would value the advice of the list on developing the correct access control statement that would allow a user to write to their own entry and to any entry beneath them in the tree. I have tried the method in the FAQ at http://www.openldap.org/faq/data/cache/653.html but can't get it to produce the right outcome.

Specifically, root domain dc=medicine,dc=net,dc=au level one ou=Hospital One ou=Northern GPs ....... (about 30 organisations) level two ou=Emergency & ou=Surgery... ou=High St Clinic & ou=Family Med Centre... level three cn=Mark Green cn=Victor Chang cn=Marcus Welby cn=Dr Jekyl

I'd like someone who has a bind as Hospital One to be able to add and edit departments (level two) and their doctors (level three), and someone with a bind as Emergency to be able to add and edit doctors within that department.

I have tried combinations of this ACL without success and would appreciate some advice. Thanks.

access to attrs=userPassword
	by self write
	by * auth
access to dn.regex="(.+),?(ou=[^,]+,dc=medicine,dc=org,dc=au)$"
    by dn.exact,expand="$2" write
    by anonymous auth
access to *
	by self write
	by * read

Tony Lembke
tony@lemlink.com.au

Prev by Date: Re: Bugus tree ?
Next by Date: Question about Openldap+Oracle10g
Index(es):
- Chronological
- Thread