Re: controlling ACL's with dn's contained in attributes?

["Pierangelo Masarati" <ando@sys-net.it>]

> Hello,
>
> I am struggling to find a good "ACL Cookbook" site if anyone knows of
> one please post to the list.

Info is disseminated in different places, I admit.
The most up-to-date (I don't want to make jokes
about you should read the code :) is the slapd.access(5)
man page.

> I think it could help alot of people. In
> the absence of that my question is as follows:
>
> I would like to utilize the filter= ACL in order to maintain a structure
> as flat as possible.  I intend to create a custom schema to create a
> attribute for our customers called salesMan which would contain a dn
> similar to the manager attribute. I'd like to know if it's possible to
> create and ACL where the salesman has the ability to write to dn or the
> manager of the salesman as defined in the salesman's Manager attribute
> has the write ability. I can always wrap this all in application layer
> bits but it would be nice to make use of OpenLDAP's native ACL's to
> manage this. Anyone have any pointers?

I think an

access to dn=<dn of data>
    by dnattr=salesman write
    by * <whatever permission to non-salesman>

this causes a write operation to succeed on <dn of data>
if the operation's DN is equal to the value of the "salesman"
attribute in entry <dn of data>, which can be exact (the
default) or any form of sub-DN including regex(7); you can
further restrict access to parts of the entry according
to the <what> part of slapd.access(5).

I frankly don't understand the part of your question that
refers to the manager of the salesman.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it