[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: grant access on a attribute specific value

Subject: Re: grant access on a attribute specific value
From: Tobias FranzÃn <lists.zxinn@otaking.se>
Date: Sat, 16 Feb 2008 23:30:42 +0100
Cc: openldap-software@openldap.org
In-reply-to: <47B74F7F.7060403@free.fr>
Organization: otaking.se
References: <47B74F7F.7060403@free.fr>
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)

Fabrice Eudes wrote:

Hi all,
I am runing an openldap 2.4.7 on debian with small local schema modifications: a few more attributes and an objectClass derived from inetOrgPerson.

I have looked in the administrator's guide and the slapd.access manpage but I can't figure out how to do the following: I want to give write access depending on the value of an attribute.
something like:
access to dn="cn=foo,ou=groups,dc=example,dc=com"
             attrs=cn,description,memberUid,entry
       by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
If I have read the manpage correctly, I can't do it with a filter. Is there any way to get this behavior ?
It is not clear for me if the "dynacl" I saw in the manpage:
- can solve this problem
- are compulsory to solve it
any help ? example ?
thanks.


I am not sure how to do exactly what you ask, but an alternative would
be to use the "group" <who> clause.

If all your "chiefs" are in a common group, just add:
   by group.exact="cn=Chiefs,ou=Groups,dc=example,dc=com" write

/Tobias

References:
- grant access on a attribute specific value
  - From: Fabrice Eudes <fabrice.eudes@free.fr>

Prev by Date: grant access on a attribute specific value
Next by Date: Re: grant access on a attribute specific value
Index(es):
- Chronological
- Thread