[Date Prev][Date Next] [Chronological] [Thread] [Top]

Complex permissions for OpenLDAP



Basically I'm trying to restrict/enable userPassword access, and am failing miserably.

Say I have this structure

cn=SubUser,uid=User,ou=People,o=ExampleCompany,c=CA

If I'm logged in as uid=User,ou=People,... I want to be able to edit/view the userPassword for cn=SubUser, and justly have it work heirarchily.. let's pretend that I could log in as ou=People I would want to be able to view/edit passwords for everyone below me (including myself).

There are hundreds of entries at the uid level, and none of them should be able to view/edit the userPassword of the user that is below me, except me, and only when I'm bound with that authentication.

Make sense? So far I'm able to give full read/write access to everyone except anonymous, or hide it altogether from everyone, except the logged in user (meaning I'd have to bind as cn=SubUser in order to view/edit the password).

Well, that was a mouthful, and I hope it makes sense to someone. Any help on this matter is *greatly* appreciated.

Mike Eheler