[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control for multiple admins

On 10/07/10 08:50, Dieter Kluenter wrote:
> Luiz Marcelo <85marcelo@gmail.com> writes:
>> Hello everyone!
>> Good, I have a scenario where two directors write on the same basis, eg
>> "cn=admin1,dc=domain,dc=com" and
>> "cn=admin2,dc =domain,dc=com"
>> In a general scope, both have written permission from the base. However,
>> assuming the user admin1 adds the entry:
>> "uid=john,ou=people,dc=domain,dc=com", only the admin1 user can modify
>> this entry, so each admin should only modify their own entries created
>> in any part of the base.
>> Someone would have any idea how I could create an access control list
>> for this
> I can provide an idea, but not a working solution :-)
> You may create  a set access rule that only allows write access to an
> entry if attribute value of creatorsName corresponds to present
> authenticated user.
> Unfortunately there is almost no information available on sets, but
> you may search the archiv of openldap-software mailinglist and
> http://www.openldap.org/faq/data/cache/1133.html
> http://www.openldap.org/faq/data/cache/1134.html

I thought this scenario would make a good example, but reading through
these FAQ entries I see that this exact situation is already documented:


Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org