[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf access statement


Jason Parsons <jparsons-lists@saffron.net> writes:

> I have LDAP entries that look something like this:
> dn: ou=blah.net,ou=accounts,dc=example,dc=net
>      userpassword: password
> dn: cn=one,ou=blah.net,ou=accounts,dc=example,dc=net
> dn: ou=something.net,ou=accounts,dc=example,dc=net
>      userpassword: password2
> dn: cn=one,ou=something.net,ou=accounts,dc=example,dc=net
> dn: cn=two,ou=something.net,ou=accounts,dc=example,dc=net
> I would like to allow a user identified by the userpassword to have
> write access to all of the entries "under" that DN (cn=one, cd=two,
> ...").  I'm not exactly sure how to do this in slapd.conf.  Can
> someone point me to syntax for the 'access' statements here?  I have
> read the man page and help pages, and it's not clear.  It seems that
> 'by self' only allows access to the entry itself, and not to the
> entries "under" that entry.

access to cn=one,ou=blah.net,ou=accounts,dc=example,dc=net
       by dn.children= "cn=one,ou=blah.net,ou=accounts,
       dc=example,dc=net"  write

could be a possibility, or a bit more sophisticated

access to dn.subtree="cn=one,ou=blah.net,ou=accounts,dc=example,dc=net"
       by dn.children="cn=one,ou=blah.net,ou=accounts,
       dc=example,dc=net" read continue
       by dn.exact="uid=(.*),cn=one,ou=blah.net,ou=accounts,
       dc=example,dc=net" selfwrite continue
       by * none stop

See man (5) slapd.access


Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter@schevolution.com