Re: grant access on a attribute specific value

["Pierangelo Masarati" <ando@sys-net.it>]

> Hi all,
>
> I am runing an openldap 2.4.7 on debian with small local schema
> modifications: a few more attributes and an objectClass derived from
> inetOrgPerson.
>
> I have looked in the administrator's guide and the slapd.access manpage
> but I can't figure out how to do the following: I want to give write
> access depending on the value of an attribute.

an attribute in the target (the "what") or in the user (the "who")?

> something like:
> access to dn="cn=foo,ou=groups,dc=example,dc=com"
>         	  attrs=cn,description,memberUid,entry
>         by (&(objectClass=inetOrgPerson)(employeeType=chief)) write

This syntax is not valid.

> If I have read the manpage correctly, I can't do it with a filter. Is
> there any way to get this behavior ?

If access depends on values in the "what", use filter="<your filter>" in
the "what" clause; if access depends on values in the "who", use sets; in
your case, something like

access to dn="cn=foo,ou=groups,dc=example,dc=com"
        	  attrs=cn,description,memberUid,entry
    by
set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN
& user" write

should work (note: indentation has probably been destroyed by my mailer).

> It is not clear for me if the "dynacl" I saw in the manpage:
> - can solve this problem
> - are compulsory to solve it

Dynacl has nothing to do.  In fact, dynacl is a mechanism that allows you
to code access checking yourself, and plug it in as a run-time loadable
object.  So, by itself, it would allow a lot of freedom, provided you can
wirte the code that does what you mean.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------