[Date Prev][Date Next] [Chronological] [Thread] [Top]

Let "self" create new entries

To: openldap-software@openldap.org
Subject: Let "self" create new entries
From: Wolfgang Lorenz <wl-chmw@gmx.de>
Date: Sun, 3 May 2009 04:14:59 +0200

Hello,

I'm quite new to LDAP and at the moment I'm really just playing around,
and trying to learn how to configure and use OpenLDAP correctly.

So I set up some kind of a small address directory, as could be used by
my family to have a central place, where addresses can be stored, just
to keep in contact. The setup looks like this:

# reading out data as authenticated user
access to dn.children="ou=people,dc=example,dc=org"
        by self write
        by users read
access to dn.base="ou=people,dc=example,dc=org"
        by users read
access to dn.base="dc=example,dc=org"
        by users read

This seems to work, fine: I can log in, using my dn
	uid=wolfgang,ou=people,dc=example,dc=org
and I can change my details, and view the details of the other uids.

Then I thought, it would be nice to be able, to create my own address
books within my "self" contact. Such as
	ou=adrbook01,uid=wolfgang,ou=people,dc=example,dc=org
and have in there contacts, that can only be shown by me. All other
users should be able to do the same thing, of course. So I tried to
create the new ou=adrbook01 entry and got a "no write access to entry".
As I understand it, I may only add and change attributes, that lie
within my binddn.

So, now my question is, how can I configure slapd to enable users, to
build their own subtrees, without having to give a rule for every
single uid, that lies within ou=people?

Thanks in advance,
  Wolfgang

Follow-Ups:
- Re: Let "self" create new entries
  - From: Bill MacAllister <whm@stanford.edu>

Prev by Date: Another DIT as subtree
Next by Date: openldap2.4.16 and BDB4.7 not sync configured as provider/consumer
Index(es):
- Chronological
- Thread