[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Let "self" create new entries





--On Sunday, May 03, 2009 04:14:59 AM +0200 Wolfgang Lorenz <wl-chmw@gmx.de> wrote:

Hello,

I'm quite new to LDAP and at the moment I'm really just playing
around, and trying to learn how to configure and use OpenLDAP
correctly.

So I set up some kind of a small address directory, as could be used
by my family to have a central place, where addresses can be stored,
just to keep in contact. The setup looks like this:

# reading out data as authenticated user
access to dn.children="ou=people,dc=example,dc=org"
        by self write
        by users read
access to dn.base="ou=people,dc=example,dc=org"
        by users read
access to dn.base="dc=example,dc=org"
        by users read

This seems to work, fine: I can log in, using my dn
	uid=wolfgang,ou=people,dc=example,dc=org
and I can change my details, and view the details of the other uids.

Then I thought, it would be nice to be able, to create my own address
books within my "self" contact. Such as
	ou=adrbook01,uid=wolfgang,ou=people,dc=example,dc=org
and have in there contacts, that can only be shown by me. All other
users should be able to do the same thing, of course. So I tried to
create the new ou=adrbook01 entry and got a "no write access to
entry". As I understand it, I may only add and change attributes,
that lie within my binddn.

So, now my question is, how can I configure slapd to enable users, to
build their own subtrees, without having to give a rule for every
single uid, that lies within ou=people?

Thanks in advance,
  Wolfgang

In a past life I set up a directory before where users are allowed to add entries on level down from their own entry. This was to support an application that allowed users to save URLs. The URLs marked public where displayed with their directory listing and the URL's marked private were visible only by themselves. In any case, the ACLs required to support this look like:

access to filter=(&(objectclass=urlobject)(urlprivate=Y))
  by self.level{-1} write
  by * none

access to filter=(&(objectclass=listobject)(!(urlprivate=Y)))
  by self.level{-1} write
  by * read

Bill

--

Bill MacAllister <whm@stanford.edu>
Systems Software Programmer, ITS Unix Systems, Stanford University