[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL (Regex) help needed
Am Thu, 6 Sep 2012 13:35:56 +0200
schrieb Denny Schierz <linuxmail@4lin.net>:
> hi,
>
> I have the following structure:
>
> cn=foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo
> cn=foobar1,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo
> cn=foobar2,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo
>
> cn=foobar likes like:
>
> dn:
> foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo
> objectClass: inetLocalMailRecipient objectClass: person
> objectClass: top
> cn: admin
> sn: admin
> description: added_by_dekanat
> mailLocalAddress: sysop@department.domain.foo
> mailRoutingAddress: foobar@department.domain.foo
>
> At the moment I have one role "mail" that has access to:
>
> dn.sub="ou=mail,ou=services,ou=department,dc=domain,dc=foo" read
>
> it works as expected, the mailserver can read all entries.
>
> Now I want to create a role, who has permissions to delete/add/modify
> all entries below ou=aliases, from all domains
> (dc=domain,ou=mail...), but only, if "description: <string>" is found
> (for delete/modify only, but not for add).
>
> Is that possible?
This can be achieved by sets
http://www.openldap.org/faq/data/cache/1134.html
http://www.openldap.org/faq/data/cache/1132.html
http://www.openldap.org/faq/data/cache/1133.html
-Dieter
--
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E