[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (raise question again) how to configure LDAP to allow each logged-in user to modify the subtree of the current user?

<quote who="Zhang Weiwu">
> Dear list
> I've posted this question before. Maybe it's my bad English but I didn't
> get a solution nor an answer of "it's impossible" too so I just post
> again (yes I knew people answer me for free and for being kind and I am
> really thankful for all feedback)
> Is it possible to define ACL that every user who successfully bind-ed
> (logged in) that this user can modify their own entry as well as the sub
> entries of them?
> e.g.
> dn: ou=support,xxx
> if one connection is bind to this dn, it can modify these entries:
> dn: cn=Wang Penghui,ou=support,xxx
> dn: cn=Zhang Weiwu,ou=support,xxx
> Now we have some 3000 people who can login to the LDAP database and each
> are logged in as an entry which is organization or organizationalUnit.
> They all need to be able to modify entries within their own organization
> or organizationalUnit.
> I know how to define one ACL rule for one to be able to modify an entry
> and its subtree, but in my case I need to define 3000 ACL rules (and
> this number is still growing). Can such permission requirement be
> defined within limited number of ACL rules?

Just use regular expression (dn.regex) and capture the users cn, cn=(.*),
and ou=support,(.*) then use $1 and $2.

man slapd.access

> Best Regards
> --
> Zhang Weiwu
> Real Softservice
> http://www.realss.com
> +86 592 2091112