[Date Prev][Date Next] [Chronological] [Thread] [Top]

SOLVED Re: Can I do this with OpenLDAP acls?

Tony Earnshaw wrote:

There are many cases in which unprivileged (not necessarily but often
bound) entities should can be configured not to be able to read details
- think of homeTelephoneNumber, homeAddress, mobile etc. So "access to *
by * would never do in my ACLs ;)

FWIW, I solved my dilemma. I changed my schema to specify that masterAccount contains a DN, which allowed me to do this:

access to attr=userPassword
        by self write
        by dnattr="masterAccount" write
        by * auth

This allows uid=xyz,ou=users,dc=justthe,dc=net to change the password for any account for which that DN is specified in the masterAccount attribute. I am able to change the password, for example, for my LDAP entry and one other LDAP entry for which my DN is specified as the masterAccount, but I can't change anyone else's password without binding as the rootdn.

If I need to give the masterAccount DN more access I can add ACL entries later, but my initial goal was to allow a master user to be able to change passwords for any of the accounts under his control.

I think this is a much more elegant solution than trying to use sets.

JustThe.net Internet & New Media Services, Apple Valley, CA   PGP: 0xE3AE35ED
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
"someone once called me a sofa, but i didn't feel compelled to rush out and buy
slip covers." -adam brower * Hiroshima '45, Chernobyl '86, Windows 98/2000/2003