[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticated users can create new entries but then only creator can modify entry

----- "fathi engineer" <fathi.engineer@gnet.tn> wrote:

> Hi, 
> In the proccess of setting up an openldap server as a pgp key server,
> I want to grant access to every authenticated user to create a new
> entry in a subtree of the basedn and every body to read entries in
> that subtree but only creator to be able to modify his entries. 
> I tried with the following (unsuccessfully): 
> access to dn.children="ou=PGP Keys,o=SNCFT,c=TN" 
>        by dn.regex="^uid=([^,]+),(ou=[^,]+,)+ou=Users,o=SNCFT,c=TN$"
> selfwrite 
>        by dn.regex="^uid=([^,]+),ou=Users,o=SNCFT,c=TN$" write 
>        by * read 
> and also 
>        by dnattr=owner selfwrite 
>        by users write 
>        by * read 
> but none worked. 
> I am running openldap-2.3.27-8.el5_2.4 

Did you read slapd.access(5)?  Did you read the requirements for the add and modify operations?  You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification.  And "owner" is a specific attribute of some objectClasses; unless you're creating those objects with the correct "owner" value, the creator will not be able to write them.  You should use 

        by dnattr=creatorsName write

The "self" is not needed; it refers to a user writing to a target corresponding to its own name, or to an attribute whose value consists in its own name.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it