[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Advanced ACL configuration?

Quoting Daniel Tiefnig <openldap@qmail.infonova.at> [04 Jul-01 10:04]:
> <stefan@alfredsson.org> wrote...
> > I'm wondering if ACL's can be built by using information in the LDAP
> > database itself?
> >
> > For example, if user X is authenticated and has an attribute
> > (for example) canModify: uid=y, o=foobar
> >
> > then this user would have write access to the DN's listed?
> >
> a similar discussion was in the mailing list some time ago:
> <quote Howard Chu from Sat, 12 May 2001 19:57:41 -0700>
>   access to *
>     by selfattr=account write

selfattr seemed to be excluded in my version (2.0.7), but the
other variant by using set=... seems to work.

Going over the documentation once again I found that dnattr might
work as well; Instead of defining in the "owner" object what subjects
it can modify, define the owner in the subject.

I.e. instead of saying "account X can write a,b,c", we say that
"a can be written by X, b can be written by X, c ...." 

Or have I misunderstood the functionality of dnattr?

> have a look at the list archive, (especially the above mentioned thread)
> there were some discussions about advanced ACLs, and some of them were
> pretty good.

Yes, thanks for the advice. Strange that I did not find it when I
searched for it earlier (before posting the question :)