[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Help for special ACL needed
--On Thursday, April 30, 2009 11:44 AM +0200 Florian Götz
<f.goetz@hs-mannheim.de> wrote:
A warm "Hello" from germany to the openldap-technical list!
I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server.
I need to write an ACL which allows a user to see his own entry
(objectClass build up on inetOrgPerson) and nothing else.
I know that this isn´t the intended use of the LDAP system, but our
manager wants it that way.
Have you looked at the "self" keyword?
The keyword self means access to an entry is allowed to the
entry
itself (e.g. the entry being accessed and the requesting entry must
be
the same). It allows the level{<n>} style, where _n_ indicates
what
ancestor of the DN is to be used in matches. A positive value
indi-
cates that the <n>-th ancestor of the user's DN is to be
considered; a
negative value indicates that the <n>-th ancestor of the target is
to
be considered. For example, a "by self.level{1} ..." clause would
match when the object "dc=example,dc=com" is accessed by
"cn=User,dc=example,dc=com". A "by self.level{-1} ..." clause
would
match when the same user accesses the object
"ou=Address
Book,cn=User,dc=example,dc=com".
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration