[Date Prev][Date Next]
Re: Access control
--On Tuesday, May 25, 2004 1:50 PM -0400 John Borwick <email@example.com>
Digant C Kasundra wrote:
I'm trying to see if/how the following access controls could be written:
1. Allow * to read attributes (name, email, phonenumber) in entries in
the "cn=people,dc=uta,dc=edu" subtree *IF* attribute
(I can understand how to do this for the most part except for the *IF*
Here's a rule I wrote yesterday:
access to dn.subtree="ou=Users,dc=wfu,dc=edu"
by * read
slapd.access(5) doesn't make clear that you can have all three qualifiers
on one access line, but you can.
2. Allows write access to users who have the attribute userPrivs=admin.
You may want to create an Admin group... at which point you can say:
access to dn.subtree="whatever"
by group="cn=Admin,dc=group,dc=wfu,dc=edu" write
by * break
For others: does the "group" specification used here respect "memberOf"?
In 2.2, another possibility would to be create a dynamic group who's
members are determined by userPrivs=admin, and just give that group write
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html