[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Advanced ACL configuration?

Daniel Tiefnig wrote:

>   access to *
>     by selfattr=account write

There's no "selfattr" acl subject to my knowledge.
Maybe the "dnattr" attribute was addressed. It should
be set to the the attribute type that contains the "dn"
of who's allowed to modify an entry. So the modifier's
identity can be listed in the entry itself; e.g., given
the group

dn: cn=Your Group,ou=Groups,dc=your,dc=org
objectClass: top
objectClass: groupOfNames
owner: cn=Your Group Owner,ou=People,dc=your,dc=org
member: cn=Yourself,ou=People,dc=your,dc=org

access to its members can be:

access to dn="cn=Your Group,ou=Groups,dc=your,dc=org"
    by dnattr=member selfwrite
    by dnattr=owner write
    by * none

so that the owner of the group can add/modify/delete
anybody from the group, while a member can only
add/remove him/herself


Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   | http://www.aero.polimi.it/~masarati