[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap fine grained / advanced ACLs

Faraz R. Khan wrote:
So basically I can do:

to * by cn=admin,dc=company,dc=com add by cn=faraz,dc=company,dc=com zap

That is indeed not documented anywhere. Will start an ITS

Not exactly like that, but sort of:

access to *
	by "cn=admin,dc=company,dc=com" "=a"
	by "cn=faraz,dc=company,dc=com" "=z"

If those identities need further privileges (e.g. search or so) they must be explicitly listed, namely

access to *
	by "cn=admin,dc=company,dc=com" "=dxcsra"
	by "cn=faraz,dc=company,dc=com" "=dxcsrz"

See slapd.access(5) for details about the syntax and the meaning of each symbol.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it