[Date Prev][Date Next]
Re: Advanced ACL configuration?
Quoting Daniel Tiefnig <firstname.lastname@example.org> [04 Jul-01 10:04]:
> <email@example.com> wrote...
> > I'm wondering if ACL's can be built by using information in the LDAP
> > database itself?
> > For example, if user X is authenticated and has an attribute
> > (for example) canModify: uid=y, o=foobar
> > then this user would have write access to the DN's listed?
> a similar discussion was in the mailing list some time ago:
> <quote Howard Chu from Sat, 12 May 2001 19:57:41 -0700>
> access to *
> by selfattr=account write
selfattr seemed to be excluded in my version (2.0.7), but the
other variant by using set=... seems to work.
Going over the documentation once again I found that dnattr might
work as well; Instead of defining in the "owner" object what subjects
it can modify, define the owner in the subject.
I.e. instead of saying "account X can write a,b,c", we say that
"a can be written by X, b can be written by X, c ...."
Or have I misunderstood the functionality of dnattr?
> have a look at the list archive, (especially the above mentioned thread)
> there were some discussions about advanced ACLs, and some of them were
> pretty good.
Yes, thanks for the advice. Strange that I did not find it when I
searched for it earlier (before posting the question :)