[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: deleting ACL

To: Pierangelo Masarati <masarati@aero.polimi.it>
Subject: Re: deleting ACL
From: Alejandra Moreno <alejandra.moreno@atrete.ch>
Date: Mon, 14 Jan 2002 18:01:12 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <200201141511.g0EFB8c27116@server.aero.polimi.it>
References: <5.1.0.14.2.20020114154335.04864320@mailhost.atrete.ch>

OK, but when you access the LDAP server from any other client, how does the server know the user that is attempting to connect?

Alejandra

At 16:11 14.01.2002 +0100, you wrote:

> Yes, that's what I meant (sorry if I was not clear!), and yes I thought
> there was no way to separate from add/delete from modify permissions at the
> attribute level. However, could I specify a single user to add/delete? How
> can I do that?

I think you should read carefully the slapd.access man page that comes
with HEAD code

http://www.openldap.org/devel/cvsweb.cgi/doc/man/man5/slapd.access.5

or have a look at the FAQ (a bit older, but basically correct)

http://www.openldap.org/faq/data/cache/447.html

because there are so many specific cases you may want to configure
access for. Basically you may want to give access to a specific
set of attributes, which may belong to a specific entry or to a
subtree or to the whole tree. To give a specific user write
permissions you must use its DN.

So an example ACL for attributes regardless of the entry they belong
to is (assuming your dn is "cn=Alejandra,dc=your,dc=org"):

access to attrs=entry,mail,description
        by dn.exact="cn=Alejandra,dc=your,dc=org" write
        by * read

Note that you need "entry" access to be allowed to write the attributes
(here write means add/modify/delete)

If you want to give access to the same attributes but only in the
"ou=Foo" subtree:

access to dn.subtree="ou=Foo,dc=your,dc=org" attrs=entry,mail,description
        by dn.exact="cn=Alejandra,dc=your,dc=org" write
        by * read

You can make this ACL much more powerful by defining a group of people
with the same access rights and by delegating access to the members
of the group.

Pierangelo.

______________________________________________________________________
Alejandra Moreno Espinar
at rete ag

mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich, Switzerland
voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88
_____________________________________________________________________

Follow-Ups:
- Re: deleting ACL
  - From: Daniel Tiefnig <openldap@qmail.infonova.at>

References:
- Re: deleting ACL
  - From: Alejandra Moreno <alejandra.moreno@atrete.ch>
- Re: deleting ACL
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: RE: Unicode support
Next by Date: Re: permissions (acl) for nss_ldap
Index(es):
- Chronological
- Thread