[Date Prev][Date Next]
I would like to implement the following pseudo-ACL:
access to dn=".*,ou=addressbook,uid=($1),ou=people,o=root"
by dn="uid=($1),ou=people,o=root" write
by * none
That is, each user can create children of his own ou=addressbook, which
is a child of his ou=people entry.
Obviously, I could implement this by having a seperate entry in
slapd.conf for each user. That this is undesirable is equally obvious.
I think I could do it with something like
but then, wouldn't every object below ou=addressbook have to have an
owner attribute (which seems rather wasteful)? Or can I somehow do it so
that just the ou=addressbook entry has an owner attribute, but the user
has write access to all objects below that in the tree?
I would also like to know how a domain-based ACL like
is compared. Is domain resolved to an IP and then compared to the client
IP? Or is the client IP reverse-lookuped and then compared tot the
domain? Can I just use IP addresses directly as domain entries? What
about stuff like 192.0.1.* and 22.214.171.124/24?