[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

Digant C Kasundra wrote:
Hello everyone,

I'm trying to see if/how the following access controls could be written:

1. Allow * to read attributes (name, email, phonenumber) in entries in the "cn=people,dc=uta,dc=edu" subtree *IF* attribute viewableAttributes=email.
(I can understand how to do this for the most part except for the *IF* condition).

Here's a rule I wrote yesterday:

access to dn.subtree="ou=Users,dc=wfu,dc=edu"
        by * read

slapd.access(5) doesn't make clear that you can have all three qualifiers on one access line, but you can.

2. Allows write access to users who have the attribute userPrivs=admin.

You may want to create an Admin group... at which point you can say:

access to dn.subtree="whatever"
        by group="cn=Admin,dc=group,dc=wfu,dc=edu" write
	by * break

For others: does the "group" specification used here respect "memberOf"?

           John Borwick
       Systems Administrator
      Wake Forest University | web  http://www.wfu.edu/~borwicjh
      Winston-Salem, NC, USA | GPG key ID               7F1F051B

Attachment: signature.asc
Description: OpenPGP digital signature