[Date Prev][Date Next]
Re: multiple admins and access rights
At 12:26 PM 4/14/00 +0200, Kai Martius wrote:
>First, thanks to the developers for the great job done with OpenLDAP!
>Here's my question:
>Is it possible within the current access control model to have something
>like "shared administration", that is, I want to grant the right to
>create new entries with a specific set of attributes to Admin1. Admin2
>should be able to modify these entries by adding / modifying other
>attributes, but neither to modify the entries written by Admin1 nor to
>delete the entry itself. I tried it with the following access rules
>(that didn't work :-( ).
>Admin2 should have the right to add / modify a postaladdress, but
>nothing else. Admin1 therefore should be able to create the entry and
>write cn, ou, o and c attributes:
>access to * attrs=dn,cn,ou,o,c
> by dn="cn=Admin1,o=myorg,c=de" write
> by * read
>access to * attr=postaladdress
> by dn="cn=Admin2,o=myorg,c=de" write
> by * read
>Did I miss something important here?
Permission to write to the entry.
access to * attrs=entry
by dn="cn=Admin?,o=myorg,c=de" write
by * read