[Date Prev][Date Next]
Re: Advanced ACL configuration?
> I'm wondering if ACL's can be built by using information in the LDAP
> database itself?
> For example, if user X is authenticated and has an attribute
> (for example) canModify: uid=y, o=foobar
> then this user would have write access to the DN's listed?
> Maybe a better solution to define the relationships would be to use
> the tree structure instead?
> Then users can be given write access to the subtree?
access to dn=".*,uid=user1,..." by dn="uid=user1,.."
this'll give user1 acccess to all subentries. (but not to his own entry.)
but this is quite annoying, 'cause you've to restart slapd each time after
adding a user..
so, i'd prefer to use the data of the db to formulate the ACLs.
a similar discussion was in the mailing list some time ago:
<quote Howard Chu from Sat, 12 May 2001 19:57:41 -0700>
We have an "owner" object, which contains an "account" attribute, which
lists all of the accounts that are owned by the "owner." So, an ACL like:
access to *
by selfattr=account write
says to check if the entry of the current logged-in user contains an
"account" attribute, and the DN of the target object is listed there, then
give write access to the target.
have a look at the list archive, (especially the above mentioned thread)
there were some discussions about advanced ACLs, and some of them were