[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: deleting ACL

OK, but when you access the LDAP server from any other client, how does the server know the user that is attempting to connect?


At 16:11 14.01.2002 +0100, you wrote:
> Yes, that's what I meant (sorry if I was not clear!), and yes I thought
> there was no way to separate from add/delete from modify permissions at the
> attribute level. However, could I specify a single user to add/delete? How
> can I do that?

I think you should read carefully the slapd.access man page that comes
with HEAD code


or have a look at the FAQ (a bit older, but basically correct)


because there are so many specific cases you may want to configure
access for.  Basically you may want to give access to a specific
set of attributes, which may belong to a specific entry or to a
subtree or to the whole tree.  To give a specific user write
permissions you must use its DN.

So an example ACL for attributes regardless of the entry they belong
to is (assuming your dn is "cn=Alejandra,dc=your,dc=org"):

access to attrs=entry,mail,description
        by dn.exact="cn=Alejandra,dc=your,dc=org" write
        by * read

Note that you need "entry" access to be allowed to write the attributes
(here write means add/modify/delete)

If you want to give access to the same attributes but only in the
"ou=Foo" subtree:

access to dn.subtree="ou=Foo,dc=your,dc=org" attrs=entry,mail,description
        by dn.exact="cn=Alejandra,dc=your,dc=org" write
        by * read

You can make this ACL much more powerful by defining a group of people
with the same access rights and by delegating access to the members
of the group.


Alejandra Moreno Espinar
at rete ag

mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich, Switzerland
voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88