[Date Prev][Date Next]
Re: ACLs: Dn.subtree + dnattr
At 09:02 AM 6/22/2005, Florian Hochstrasser wrote:
>Can anybody point me in the right way? I have a problem with specifying acls which depend on the 'dnattr' who-qualifier. Unfortunately, the 'dnattr' is not documented too well and I couldn't get it working until now.
>Here's the setup:
>I have a hierarchy like this:
>The location objectclass:
>objectclass ( 220.127.116.11.9 NAME 'myLocality'
> DESC 'a locality object'
> SUP locality STRUCTURAL
> MUST objectclass
> MAY ( admin $ timeZone $ itDomainID $ adminMail $ mail $ description $
> postalAddress $ c $ telephoneNumber $ facsimileTelephoneNumber ) )
>Now on the 'l' objects, I created the attribute 'admin' which holds the dn's of people who are (or should be ...) allowed to edit and create entries below the l's.
>My acl for such a location looks like this:
>access to dn.subtree="l=something,ou=bla,o=blabla,dc=example,dc=com"
> by dnattr=Admin write
Target objects in the named subtree may be written by
whoever is listed in the target object's Admin attribute.
Seems what you want is something like:
>There are different admins for each location, and I have many of them so it would be a good thing if I could keep the existing structure and still get it to work.
You might consider using regex/expand facilities.
See slapd.access(5), the Admin Guide, and answers under
>Thank you very much for your help.
>This message may contain legally privileged or confidential
>information and is therefore addressed to the named persons only.
>The recipient should inform the sender and delete this message,
>if he/she is not named as addressee.
>The sender disclaims any and all liability for the integrity
>and punctuality of this message.
>The sender has activated an automatic virus scanning by
>Messagelabs, but does not guarantee the virus free
>transmission of this message.