[Date Prev][Date Next]
Re: deleting ACL
OK, but when you access the LDAP server from any other client, how does
the server know the user that is attempting to connect?
At 16:11 14.01.2002 +0100, you wrote:
> Yes, that's what I meant
(sorry if I was not clear!), and yes I thought
> there was no way to separate from add/delete from modify permissions
> attribute level. However, could I specify a single user to
> can I do that?
I think you should read carefully the slapd.access man page that comes
with HEAD code
or have a look at the FAQ (a bit older, but basically correct)
because there are so many specific cases you may want to configure
access for. Basically you may want to give access to a specific
set of attributes, which may belong to a specific entry or to a
subtree or to the whole tree. To give a specific user write
permissions you must use its DN.
So an example ACL for attributes regardless of the entry they belong
to is (assuming your dn is
access to attrs=entry,mail,description
Note that you need "entry" access to be allowed to write the
(here write means add/modify/delete)
If you want to give access to the same attributes but only in the
access to dn.subtree="ou=Foo,dc=your,dc=org"
You can make this ACL much more powerful by defining a group of
with the same access rights and by delegating access to the members
of the group.
Alejandra Moreno Espinar
at rete ag
snail mail: Oberdorfstrasse 2,
P.O. Box 674, 8024 Zurich, Switzerland
voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88