[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap fine grained / advanced ACLs

So basically I can do:

to * by cn=admin,dc=company,dc=com add by cn=faraz,dc=company,dc=com zap

That is indeed not documented anywhere. Will start an ITS

Pierangelo Masarati wrote:
Faraz R. Khan wrote:
Is it possible to have fine grained ACLs in OpenLDAP? My problem is that the 'write' access is too broad. I wish to be able to control ADD, modify and delete separately. I tried looking at aacls.sourceforge.net but it involves the setup of a separate server and looks abandoned.

Any pointers would be appreciated- maybe the denyop module? I was trying to find some docs but all I could find was a FAQ entry.

OpenLDAP 2.4 allows to split the write privilege into "a" (add) and "z" (zap). A separate privilege for "modify" does not make too much sense to me: if a value is added, then one just needs "add"; if a (set of) value(s) is replaced, then one needs both "zap" (to delete old values) and "add" (to add new ones), and thus "write" is just fine. On a related note, I just realized this is not documented anywhere but in the mailing list. I suggest you file an ITS <http://ww.openldap.org/its/> to request a documentation update.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it

-- Faraz R Khan Chief Architect Emergen Consulting Pvt Ltd +92.21.529.0381 x200 www.emergen.biz