[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authentication problem

> Lets say I got a user called "fred". fred has got an administrative role
> in my department and i want him to be able to change data and group
> settings of one group (his department) and of all users who are members of
> this group (but not of any other user).
> The problem is, though it is easily accomplished to have a group being
> able to access a certain subtree (by using the "access to ... by
> group=..."), I am not able to define an ACL like:
> access to group=... by ...

marc, look at this (from "OpenLDAP 2.0 Adminstrator's guide", but works
similar for openldap 1.2.X):

<access directive> ::= access to <what>
                [by <who> <access> <control>]+
        <what> ::= * | [ dn[.<target style>]=<regex>]
                [filter=<ldapfilter>] [attrs=<attrlist>]

(- cut -)

he <what> part of an access specification determines the entries and
attributes to which the access control applies. Entries can be selected in
two ways: by a regular expression matching the entry's distinguished name:

        dn=<regular expression>

Or, entries may be selected by a filter matching some attribute(s) in the

        filter=<ldap filter>

where <ldap filter> is a string representation of an LDAP search filter, as
described in RFC2254.

(- cut -)

should work...

see: http://www.openldap.org/doc/admin/slapdconfig.html for further

Daniel Tiefnig