[Date Prev][Date Next]
SOLVED Re: Can I do this with OpenLDAP acls?
Tony Earnshaw wrote:
There are many cases in which unprivileged (not necessarily but often
bound) entities should can be configured not to be able to read details
- think of homeTelephoneNumber, homeAddress, mobile etc. So "access to *
by * would never do in my ACLs ;)
FWIW, I solved my dilemma. I changed my schema to specify that masterAccount
contains a DN, which allowed me to do this:
access to attr=userPassword
by self write
by dnattr="masterAccount" write
by * auth
This allows uid=xyz,ou=users,dc=justthe,dc=net to change the password for any
account for which that DN is specified in the masterAccount attribute. I am
able to change the password, for example, for my LDAP entry and one other LDAP
entry for which my DN is specified as the masterAccount, but I can't change
anyone else's password without binding as the rootdn.
If I need to give the masterAccount DN more access I can add ACL entries later,
but my initial goal was to allow a master user to be able to change passwords
for any of the accounts under his control.
I think this is a much more elegant solution than trying to use sets.
JustThe.net Internet & New Media Services, Apple Valley, CA PGP: 0xE3AE35ED
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
"someone once called me a sofa, but i didn't feel compelled to rush out and buy
slip covers." -adam brower * Hiroshima '45, Chernobyl '86, Windows 98/2000/2003