[Date Prev][Date Next] [Chronological] [Thread] [Top]

Restrict Access to one value of multivalued Entry

To: openldap-software@OpenLDAP.org
Subject: Restrict Access to one value of multivalued Entry
From: Timo Boettcher <Timo@gerichhausen.de>
Date: Fri, 04 Oct 2002 13:26:04 +0200 (CEST)
User-agent: IMP/PHP IMAP webmail program 2.2.4

Hi!

I want to setup a test Account on my server (with access data published on the internet) which is restricted to his own subtree (no problem in doing this) and may not edit himself, in particular, he may not be able to get out of the groups which give him admin rigths over his subtree.

I have (very roughly, and probably working better than this simple example):

access to dn="<DN_Of_Test_User_Subtree>" 
        by group="cn=writegroup,<DN_Of_Test_User_Subtree>" write
        by group="cn=readgroup,<DN_Of_Test_User_Subtree>" read
access to dn="cn=writegroup,<DN_Of_Test_User_Subtree>" 
        by self write
        by group="cn=readgroup,<DN_Of_Test_User_Subtree>" read

The Testuser should be able to add others to this writegroup, and remove others from this writegroup, but he may not be able to remove himself from this group.

Is it possible to implement this on the acl side, without adding the testuser to all acls like seen below?
access to dn="<DN_Of_Test_User_Subtree>" 
        by dn="cn=test,ou=Users,<DN_Of_Test_User_Subtree>" write
        by group="cn=writegroup,<dnoftestusersubtree>" write
        by group="cn=readgroup,<dnoftestusersubtree>" read

I would like to do the following, but from what I rad in the Adminguide, that would work.
access to dn="cn=writegroup,<DN_Of_Test_User_Subtree>" member="cn=test,ou=Users,<DN_Of_Test_User_Subtree>"
        by * read


Thanks for your help

   Timo

Follow-Ups:
- Re: Restrict Access to one value of multivalued Entry
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: acl question
Next by Date: replication on 2.1.5
Index(es):
- Chronological
- Thread