[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access given to parent entry

François Beretti wrote:

Pierangelo Masarati wrote:

To make it short, "by self[n] write", recycling the "self" clause, or
"ancestor[n]", with "self" given by n=0 and "parent" given by n=1?

Yeah, great, I will accept any of these solutions :-)

In my company we develop software storing objects under user entries, and this would be very, very useful !

OK, I have a working tentative solution of the type:

access to *
   by self write
   by self.level{1} read
   by self.level{-1} compare
   by dn.exact="cn=some,dc=org" search
   by dn.level{2} auth

Note that:
- self{1} means that access to "cn=some,dc=org" by "cn=one,cn=some,dc=org" matches, i.e. {n} levels are cut from the user;
- self{-1} means that access to "cn=some,dc=org" by "dc=org" matches, i.e. in case of {-n}, n levels are cut from the target;
- dn.level{n} means that match occurs at a given depth from the leftmost part of the user's DN; of course dn.level{1} == onelevel and dn.level{0} == base.

Your initial case of granting write permission to each entry by their immediate ancestor would be

access to *
   by self.level{-1} write

This seems to work fine also with back-config.

Please file an ITS so we can keep track of the feature, discuss the details, update slapd.access(5) and so on.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497