[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Restrict Access to one value of multivalued Entry
If you grant the user to write to an attribute,that user
can replace all values of the attribute. While slapd(8)
supports "selfwrite" and "selfread" ACLs, these ACLs are
designed to work when the subject has less permissions
over the attribute as a whole then it does to its "self"
value. That is, if one were to have "selfread" over the
self value, but "write" over the attribute as a whole,
the "selfread" won't prevent the user from replacing all
values of the attribute.
At 04:26 AM 2002-10-04, Timo Boettcher wrote:
>Hi!
>
>I want to setup a test Account on my server (with access data published on the internet) which is restricted to his own subtree (no problem in doing this) and may not edit himself, in particular, he may not be able to get out of the groups which give him admin rigths over his subtree.
>
>I have (very roughly, and probably working better than this simple example):
>
>access to dn="<DN_Of_Test_User_Subtree>"
> by group="cn=writegroup,<DN_Of_Test_User_Subtree>" write
> by group="cn=readgroup,<DN_Of_Test_User_Subtree>" read
>access to dn="cn=writegroup,<DN_Of_Test_User_Subtree>"
> by self write
> by group="cn=readgroup,<DN_Of_Test_User_Subtree>" read
>
>The Testuser should be able to add others to this writegroup, and remove others from this writegroup, but he may not be able to remove himself from this group.
>
>Is it possible to implement this on the acl side, without adding the testuser to all acls like seen below?
>access to dn="<DN_Of_Test_User_Subtree>"
> by dn="cn=test,ou=Users,<DN_Of_Test_User_Subtree>" write
> by group="cn=writegroup,<dnoftestusersubtree>" write
> by group="cn=readgroup,<dnoftestusersubtree>" read
>
>I would like to do the following, but from what I rad in the Adminguide, that would work.
>access to dn="cn=writegroup,<DN_Of_Test_User_Subtree>" member="cn=test,ou=Users,<DN_Of_Test_User_Subtree>"
> by * read
>
>
>Thanks for your help
>
> Timo