[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Mirror mode with additional consumer
On Tuesday, 28 July 2009 10:31:21 Jens Thomas wrote:
> Am 28.07.2009 um 01:04 schrieb Howard Chu:
>
> Hi Howard,
>
> >> A second problem, maybe you can give me a pointer: I would like to
> >> assign the right to add, modify and delete an object to an attribute
> >> inside the same object (and necessarily to the container object).
> >> Maybe ACI and the corresponding overlay is what i need. Or can this
> >> be
> >> solved by using regex?
> >
> > I don't understand this question, give a more detailed example...
>
> Ok, for example, i have two objects like that:
>
> dn: ou=container,o=org,c=de
> objectClass: top
> objectClass: organizationalUtit
> ou: container
>
> and
>
> dn: cn=person,ou=container,o=org,c=de
> objectClass: top
> objectClass: person
> cn: person
> sn: jackson
>
> Now i would like to add some kind of acl to the cn=person (the
> objectClass "acl" is not real, but it should demonstrate, what i need):
>
> dn: cn=person,ou=container,o=org,c=de
> objectClass: top
> objectClass: person
> objectClass: acl
> cn: person
> sn: jackson
> aclAllowByDn: cn=user1,ou=users,o=org,c=de
>
> So if the user "user1" binds successfully he has the permission to
> modify the entry.
This can be accomplished with a dnattr= "who" statement, in your example, that
could be something like
access to "dn.subtree="ou=container,o=org,c=de" by dnattr="aclAllowByDn" write
The "manager" attribute is sometimes used for this purpose.
> When a new entry is createt or a entry is deletet, i
> also need write access to the parent object in the tree, so i have to
> expand the ou=container object too in some way to allow the operation.
I think dnattr may work there as well, assuming you choose a mutli-valued DN-
valued attribute for storing the authorized DNs.
> It should be possible to assign the right to add, modify and delete
> dynamically to an other ldap object, e.g. a user object.
Regards,
Buchan