[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: idea for access rules



> Hi all,
>
> maybe this is not the right list for this question, in this case
> I apologize for this post..
>
> I have no idea to define access rules for the following case. Have
> an LDAP tree like this:
>
> ou=users
>   cn=me
> ou=data
>   ou=data1, owner=cn=me,ou=users
>     cn=fact1
>     cn=fact2
>   ou=data2, owner=cn=somebodyelse,ou=users
>     cn=fact3
>     cn=fact4
>
> (one line represents one LDAP entry with some of its attributes,
> the level of indentation represents the tree structure)
>
> The point is the subtree starting at "ou=data1". The root node of this
> subtree (ou=data1) has an attribute "owner" with a DN of a user account
> which can be used to bind to the LDAP server (cn=me,ou=users).
>
> Now I want to define, that this specific user has write access to
> some attributes of cn=fact1,ou=data1 and cn=fact2,ou=data2 etc...
>
> I am searching for a rule like this:
>
> access
>   to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3"
>   by dnattr="owner of node ou=data1,ou=data" write
>
> Obviously, this dnattr syntax is not valid, but I guess you see
> what I want. Any ideas how to realize this?

Try

access to dn.children="ou=data1,ou=data"
        by set="[ou=data1,ou=data]/owner & user" write

p.