[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: controlling ACL's with dn's contained in attributes?



Pierangelo,

Thanks for the reply. 

I will try and wade through the slapd.access again. 

To further explain my manager bit....

Lets say Jim is Fred Manager and to further extend the issue Fred is
Chris's manager. 

Ie an orgchart would look like this:

Jim
|
Fred
|
Chris

I would like to understand if it's possible to write an acl as follows:

Company X has an attribute called salesMan with Chris' fully qualified
DN ie dn=uid=chris,dc=domain,dc=com

Chris has an entry in his manager attribute for Fred ie
uid=fred,dc=domain,dc=com.

Fred has an entry in his manager attribute for Jim ie 
uid=jim,dc=domain,dc=com

I would like to allow Chris write access to Company X's info,
additionally I would like Fred because he's Chris' manager to have the
same abilities. Additionally if Jim wished to change information of
Company X he could do so because the salesman defined in the salesMan
attribute is managed indirectly by him via Fred. 

Hopefully this clarifies things. I'd welcome any feedback on how to
accomplish this if it can't be developed the way I am suggesting.


On Tue, 2004-01-27 at 11:06, Pierangelo Masarati wrote:
> > Hello,
> >
> > I am struggling to find a good "ACL Cookbook" site if anyone knows of
> > one please post to the list.
> 
> Info is disseminated in different places, I admit.
> The most up-to-date (I don't want to make jokes
> about you should read the code :) is the slapd.access(5)
> man page.
> 
> > I think it could help alot of people. In
> > the absence of that my question is as follows:
> >
> > I would like to utilize the filter= ACL in order to maintain a structure
> > as flat as possible.  I intend to create a custom schema to create a
> > attribute for our customers called salesMan which would contain a dn
> > similar to the manager attribute. I'd like to know if it's possible to
> > create and ACL where the salesman has the ability to write to dn or the
> > manager of the salesman as defined in the salesman's Manager attribute
> > has the write ability. I can always wrap this all in application layer
> > bits but it would be nice to make use of OpenLDAP's native ACL's to
> > manage this. Anyone have any pointers?
> 
> I think an
> 
> access to dn=<dn of data>
>     by dnattr=salesman write
>     by * <whatever permission to non-salesman>
> 
> this causes a write operation to succeed on <dn of data>
> if the operation's DN is equal to the value of the "salesman"
> attribute in entry <dn of data>, which can be exact (the
> default) or any form of sub-DN including regex(7); you can
> further restrict access to parts of the entry according
> to the <what> part of slapd.access(5).
> 
> I frankly don't understand the part of your question that
> refers to the manager of the salesman.
> 
> p.
-- 
Regards,

Jayson D. Henkel
Systems Manager

(Tel:  +1 (780) 440-4434)
(Fax:  +1 (780) 440-1951)
(Cell: +1 (780) 886-8941)
(E-Mail: jhenkel@sterlingcrane.ca)

Sterling Crane
P.O. Box 8610. Station South
Edmonton, Alberta
Canada. T6E 6R2

------------------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. If you are not the intended recipient of this message you are
hereby notified that any use, review, retransmission ,
dissemination,distribution, reproduction or any action taken in reliance
upon this message is prohibited. If you received this in error, please
contact the sender and delete the material from any computer. Any views
expressed in this message are those of the individual sender and may not
necessarily reflect the views of the company.