[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authenticated users can create new entries but then only creator can modify entry
----- "fathi engineer" <fathi.engineer@gnet.tn> wrote:
> Hi,
>
> In the proccess of setting up an openldap server as a pgp key server,
> I want to grant access to every authenticated user to create a new
> entry in a subtree of the basedn and every body to read entries in
> that subtree but only creator to be able to modify his entries.
>
> I tried with the following (unsuccessfully):
>
> access to dn.children="ou=PGP Keys,o=SNCFT,c=TN"
> by dn.regex="^uid=([^,]+),(ou=[^,]+,)+ou=Users,o=SNCFT,c=TN$"
> selfwrite
> by dn.regex="^uid=([^,]+),ou=Users,o=SNCFT,c=TN$" write
> by * read
>
> and also
> by dnattr=owner selfwrite
> by users write
> by * read
>
> but none worked.
>
> I am running openldap-2.3.27-8.el5_2.4
Did you read slapd.access(5)? Did you read the requirements for the add and modify operations? You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification. And "owner" is a specific attribute of some objectClasses; unless you're creating those objects with the correct "owner" value, the creator will not be able to write them. You should use
by dnattr=creatorsName write
The "self" is not needed; it refers to a user writing to a target corresponding to its own name, or to an attribute whose value consists in its own name.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------