[Date Prev][Date Next] [Chronological] [Thread] [Top]

Write access for users to their children

I would value the advice of the list on developing the correct access control statement that would allow a user to write to their own entry and to any entry beneath them in the tree. I have tried the method in the FAQ at http://www.openldap.org/faq/data/cache/653.html but can't get it to produce the right outcome.

root domain dc=medicine,dc=net,dc=au
level one ou=Hospital One ou=Northern GPs ....... (about 30 organisations)
level two ou=Emergency & ou=Surgery... ou=High St Clinic & ou=Family Med Centre...
level three cn=Mark Green cn=Victor Chang cn=Marcus Welby cn=Dr Jekyl

I'd like someone who has a bind as Hospital One to be able to add and edit departments (level two) and their doctors (level three), and someone with a bind as Emergency to be able to add and edit doctors within that department.

I have tried combinations of this ACL without success and would appreciate some advice. Thanks.

access to attrs=userPassword
	by self write
	by * auth
access to dn.regex="(.+),?(ou=[^,]+,dc=medicine,dc=org,dc=au)$"
    by dn.exact,expand="$2" write
    by anonymous auth
access to *
	by self write
	by * read

Tony Lembke