[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

To: Weston Bustraan <weston@itdonline.net>
Subject: Re: Access control
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 22 Apr 2001 23:27:16 -0700
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <Pine.LNX.4.30.0104221043240.27291-100000@sapphire.itdonlin e.net>

At 07:52 AM 4/22/01, Weston Bustraan wrote:
>I've been reading the docs on access control, but I'm having a hard time
>figuring out how to do a few things.
>
>I would like to grant full access to people with a certain gidNumber, so
>that I can grant them admin status just by setting their gidNumber to the
>'admin' group. Can anyone give me some pointers on how to do this?

Write code.  OpenLDAP doesn't support any ACL/ACI feature which
would allow you to do that.
        

>Also, how would I configure LDAP so that users are able to modify their
>own entry and entries below them in the tree, but nothing else?

This can be done with regex.

access to dn=".+,\(uid=[^,]+,ou=people,dc=example,dc=com\)"
        by dn="$1" write

access to *
        by self write


You'll, of course, need to adjust that as needed for your naming
and existing ACLs.

Prev by Date: Re: OpenLDAP-2.0.7: "ldap_add: No such object" -- PLEASE HELP!!!
Next by Date: Re: OpenLDAP-2.0.7: "ldap_add: No such object" -- PLEASE HELP!!!
Index(es):
- Chronological
- Thread