[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACCESS LIST
- To: openldap-software@openldap.org
- Subject: ACCESS LIST
- From: Isaac Gonzalez <igonzalez@es.clara.net>
- Date: Fri, 21 Sep 2007 19:14:39 +0200
- In-reply-to: <46F3F9E9.9020706@es.clara.net>
- References: <46F3F9E9.9020706@es.clara.net>
- User-agent: Thunderbird 1.5.0.13 (X11/20070824)
Hi,
> I've this estructure
>
> dc=empresa,dc=com
> |
> Dep1
> |
> |---------User1
> |---------User11
> Dep2
> |
> |---------User2
> |---------User22
> Dep3
> |
> |---------User3
> |---------User33
>
>
> I want that User1 and User11 (users under Dep1) can only access to Dep1,
> User1 and User11 data. --> Dep1 Subtree
> I want that User2 and User22 (users under Dep2) can only access to Dep2,
> User2 and User22 data. --> Dep2 Subtree
> I want that User3 and User33 (users under Dep3) can only access to Dep3,
> User3 and User33 data. --> Dep3 Subtree
>
> It's correct this ACL? Can't be more simple?
>
> #DEP1 ONLY ACCESS TO DEP1
> access to dn.subtree="ou=Dep1,dc=empresa,dc=com"
> by dn.children="ou=Dep1,dc=empresa,dc=com" read
> by anonymous auth
> by * none
>
> #DEP2 ONLY ACCESS TO DEP2
> access to dn.subtree="ou=Dep2,dc=empresa,dc=com"
> by dn.children="ou=Dep2,dc=empresa,dc=com" read
> by anonymous auth
> by * none
>
> #DEP3 ONLY ACCESS TO DEP3
> access to dn.subtree="ou=Dep3,dc=empresa,dc=com"
> by dn.children="ou=Dep3,dc=empresa,dc=com" read
> by anonymous auth
> by * none
>
> #ADMIN
> access to *
> by dn="cn=admin,dc=empresa,dc=com" write
> by anonymous auth
> by * none
>
>
> Thanks and bye.
>
>
>