[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
help needed in setting acl
hi
I need some help in setting my ACL.
My dir hierarchy is
one organization
multiple organizationalUnit(s) underneath the organization
multile account(s) underneath each organizationalUnit.
multiple person(s) underneath each account.
account has uid & userPassword. Each person has a owner which is a dn to
the account that created it.
(1) One can bind ONLY to the account
(2) Each account can create, modify, delete person object underneath
itself. Each account can read person info of other accounts.
Somewhere I read about giving access to parent (maybe ldapv3?). I need
something like that or better still ability to grant add entry and
write access to each account. Any idea how I could do that? While the
below acl doesn't work, I though you could comment on it too.
# Access to the root organization
access to dn="o=IISc,c=IN"
by dn="cn=root,o=IISc,c=IN" write
by * read
# Access to organizationalUnits like CS, EE, ECE
access to dn=".*,o=IISc,c=IN" filter='objectclass=organizationalUnit'
by dn="cn=root,o=IISc,c=IN" write
by dn=".*,o=IISc,c=IN" read
by * none
# Access to userPassword in account
access to dn=".*,o=IISc,c=IN" filter='objectclass=account'
attr=userPassword
by self write
by dn="cn=root,o=IISc,c=IN" write
by * compare
# Netscape needs mail attribute to login (will it work?)
access to dn=".*,o=IISc,c=IN" filter='objectclass=account' attr=mail
by self write
by dn="cn=root,o=IISc,c=IN" write
by dn=".*,o=IISc,c=IN" read
by * compare
# Access to account
access to dn=".*,o=IISc,c=IN" filter='objectclass=account'
by self write
by dn="cn=root,o=IISc,c=IN" write
by dn=".*,o=IISc,c=IN" read
by * none
# Access to person under each account (by the use of owner dn)
access to dn=".*,o=IISc,c=IN" filter='objectclass=person'
by dnattr=owner selfwrite
by dn="cn=root,o=IISc,c=IN" write
by dn=".*,o=IISc,c=IN" read
by * none
access to * by * none