[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: grant access on a attribute specific value

Fabrice Eudes wrote:
Hi all,

I am runing an openldap 2.4.7 on debian with small local schema modifications: a few more attributes and an objectClass derived from inetOrgPerson.

I have looked in the administrator's guide and the slapd.access manpage but I can't figure out how to do the following: I want to give write access depending on the value of an attribute.

something like:
access to dn="cn=foo,ou=groups,dc=example,dc=com"
       by (&(objectClass=inetOrgPerson)(employeeType=chief)) write

If I have read the manpage correctly, I can't do it with a filter. Is there any way to get this behavior ?

It is not clear for me if the "dynacl" I saw in the manpage:
- can solve this problem
- are compulsory to solve it

any help ? example ?


I am not sure how to do exactly what you ask, but an alternative would be to use the "group" <who> clause.

If all your "chiefs" are in a common group, just add:
   by group.exact="cn=Chiefs,ou=Groups,dc=example,dc=com" write