[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Let logged-in users see their accounts

<fuser9bb@hotpop.com> writes:

> I am using OpenLDAP 2.2.15 on RHES3.
> I would like to let an account see its own attributes and what groups it
> belongs to, but not be able to view other accounts or groups that it does
> not belong to. This is a requirement of how a lot of applications work
> (e.g., they look at the account you login as and check which groups you
> belong to).
> access to dn.subtree="uid=[self],ou=Accounts,dc=xxx"
>         by self read

access to dn.regex="^uid=([^,])+,,ou=Accounts,dc=xx$"
        by dn.exact,expand="uid=$1,ou=accounts,dc=xx" write
        by * none


> access to dn.subtree="cn=[in-this-group],ou=Groups,dc=xxx"
>         by self-in-group read

> I have been reviewing slapd.access but haven't seen a solution so far. I'm
> not sure if there is one.



Dieter Klünter | Systemberatung
GPG Key ID:01443B53