Re: Openldap fine grained / advanced ACLs

["Faraz R. Khan" <faraz.khan@emergen.biz>]

So basically I can do:

to * by cn=admin,dc=company,dc=com add by cn=faraz,dc=company,dc=com zap

That is indeed not documented anywhere. Will start an ITS



Pierangelo Masarati wrote:
> Faraz R. Khan wrote:
> > Is it possible to have fine grained ACLs in OpenLDAP? My problem is 
> > that the 'write' access is too broad. I wish to be able to control 
> > ADD, modify and delete separately. I tried looking at 
> > aacls.sourceforge.net but it involves the setup of a separate server 
> > and looks abandoned.
> >
> > Any pointers would be appreciated- maybe the denyop module? I was 
> > trying to find some docs but all I could find was a FAQ entry.
>
> OpenLDAP 2.4 allows to split the write privilege into "a" (add) and "z" 
> (zap).  A separate privilege for "modify" does not make too much sense 
> to me: if a value is added, then one just needs "add"; if a (set of) 
> value(s) is replaced, then one needs both "zap" (to delete old values) 
> and "add" (to add new ones), and thus "write" is just fine.  On a 
> related note, I just realized this is not documented anywhere but in the 
> mailing list.  I suggest you file an ITS <http://ww.openldap.org/its/> 
> to request a documentation update.
>
> p.
>
>
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
>
> SysNet s.r.l.
> via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> -----------------------------------
> Office:  +39 02 23998309
> Mobile:  +39 333 4963172
> Email:   ando@sys-net.it
> -----------------------------------

--
Faraz R Khan
Chief Architect
Emergen Consulting Pvt Ltd
+92.21.529.0381 x200
www.emergen.biz