[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs: Dn.subtree + dnattr

At 09:02 AM 6/22/2005, Florian Hochstrasser wrote:
>Dear List
>Can anybody point me in the right way? I have a problem with specifying acls which depend on the 'dnattr' who-qualifier. Unfortunately, the 'dnattr' is not documented too well and I couldn't get it working until now.
>Here's the setup: 
>I have a hierarchy like this:
>The location objectclass:
>objectclass ( NAME 'myLocality'
>    DESC 'a locality object'
>    SUP locality STRUCTURAL
>    MUST objectclass
>    MAY ( admin $ timeZone $ itDomainID $ adminMail $ mail $ description $ 
>        postalAddress $ c $ telephoneNumber $ facsimileTelephoneNumber ) )
>Now on the 'l' objects, I created the attribute 'admin' which holds the dn's of people who are (or should be ...) allowed to edit and create entries below the l's.
>My acl for such a location looks like this:
>access to dn.subtree="l=something,ou=bla,o=blabla,dc=example,dc=com"
>        by dnattr=Admin write

Target objects in the named subtree may be written by
whoever is listed in the target object's Admin attribute. 

Seems what you want is something like:
 by group/myLocality/Admin="l=something,ou=bla,o=blabla,dc=example,dc=com"

>There are different admins for each location, and I have many of them so it would be a good thing if I could keep the existing structure and still get it to work.

You might consider using regex/expand facilities.

See slapd.access(5), the Admin Guide, and answers under
for details.

>Thank you very much for your help.
>Regards, Florian
>This message may contain legally privileged or confidential 
>information and is therefore addressed to the named persons only. 
>The recipient should inform the sender and delete this message, 
>if he/she is not named as addressee. 
>The sender disclaims any and all liability for the integrity 
>and punctuality of this message. 
>The sender has activated an automatic virus scanning by 
>Messagelabs, but does not guarantee the virus free 
>transmission of this message.