[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multiple admins and access rights

At 12:26 PM 4/14/00 +0200, Kai Martius wrote:
>First, thanks to the developers for the great job done with OpenLDAP!
>Here's my question:
>Is it possible within the current access control model to have something
>like "shared administration", that is, I want to grant the right to
>create new entries with a specific set of attributes to Admin1. Admin2
>should be able to modify these entries by adding / modifying other
>attributes, but neither to modify the entries written by Admin1 nor to
>delete the entry itself. I tried it with the following access rules
>(that didn't work :-( ). 
>Admin2 should have the right to add / modify a postaladdress, but
>nothing else. Admin1 therefore should be able to create the entry and
>write cn, ou, o and c attributes:
>defaultaccess   read
>access  	to   * attrs=dn,cn,ou,o,c
>                     by dn="cn=Admin1,o=myorg,c=de"		write
>                     by *                                       read   
>access          to * attr=postaladdress
>                     by dn="cn=Admin2,o=myorg,c=de"		write
>        	     by *                                       read
>Did I miss something important here?

Permission to write to the entry.

access to * attrs=entry
	by dn="cn=Admin?,o=myorg,c=de" write
	by * read