[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access List Example

To: "Leone, Todd" <tleone@acs.utah.edu>
Subject: Re: Access List Example
From: M Butcher <mbutcher@grcomputing.net>
Date: 28 May 2003 14:49:32 -0600
Cc: openldap-software@OpenLDAP.org
In-reply-to: <B51F85BF02CC4042B3C147FD19E5D90F12E3D7@exchange.acs.utah.edu>
Organization:
References: <B51F85BF02CC4042B3C147FD19E5D90F12E3D7@exchange.acs.utah.edu>

Here's an example of restricting access to general users, while allowing
the admin group (well, role, actually) to see them.

access to attr=description
    by dn="cn=Manager,dc=mycompany,dc=com" write
    by
group/organizationalRole/roleOccupant="cn=Administrators,dc=mycompany,dc=com" write
    by * none

The second 'by' specifies that "organizationalRole" is to be treated
like a group, and that group members are specified with "roleOccupant."

So, anyone listed as a roleOccupant in
"cn=Administrators,dc=mycompany,dc=com" will be given write access to
the description field.

There is more info somewhere in the Faq-O-Matic at openldap.org, I
think.

Matt

On Wed, 2003-05-28 at 13:59, Leone, Todd wrote:
> List,
> I've been fighting with this all day and hopefully someone will share
> An example of their access list in regards to the following:
> 
> Based upon group membership, display multiple attributes..
> For example:
> Uid=test,ou=people,o=suffix is in group employees
> 
> So if test binds and searches, sn=smith 
> The results will display employeeNumber, workphone, etc...
> 
> But is someone else searches who's not in group employees
> employeeNumber, workphone will not be displayed....
> 
> 
> Any examples will be greatly 
> Appreciated
> 
> 
> Todd Leone
> University of Utah
-- 
M Butcher <mbutcher@grcomputing.net>

References:
- Access List Example
  - From: "Leone, Todd" <tleone@acs.utah.edu>

Prev by Date: Access List Example
Next by Date: Re: OpenLDAP <-> Advanced Directory Syncs
Index(es):
- Chronological
- Thread