[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help for special ACL needed

--On Thursday, April 30, 2009 11:44 AM +0200 Florian Götz <f.goetz@hs-mannheim.de> wrote:

A warm "Hello" from germany to the openldap-technical list!

I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server.
I need to write an ACL which allows a user to see his own entry
(objectClass  build up on inetOrgPerson) and nothing else.
I know that this isn´t the intended use of the LDAP system, but our
manager  wants it that way.

Have you looked at the "self" keyword?

The keyword self means access to an entry is allowed to the entry itself (e.g. the entry being accessed and the requesting entry must be the same). It allows the level{<n>} style, where _n_ indicates what ancestor of the DN is to be used in matches. A positive value indi- cates that the <n>-th ancestor of the user's DN is to be considered; a negative value indicates that the <n>-th ancestor of the target is to
      be  considered.	 For  example,	a  "by self.level{1} ..." clause would
      match   when   the   object   "dc=example,dc=com"   is	accessed    by
"cn=User,dc=example,dc=com". A "by self.level{-1} ..." clause would match when the same user accesses the object "ou=Address



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration