[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control for multiple admins

Am 10.07.2010 08:50, schrieb Dieter Kluenter:
> Luiz Marcelo <85marcelo@gmail.com> writes:
>> Hello everyone!
>> Good, I have a scenario where two directors write on the same basis, eg
>> "cn=admin1,dc=domain,dc=com" and
>> "cn=admin2,dc =domain,dc=com"
>> In a general scope, both have written permission from the base. However,
>> assuming the user admin1 adds the entry:
>> "uid=john,ou=people,dc=domain,dc=com", only the admin1 user can modify
>> this entry, so each admin should only modify their own entries created
>> in any part of the base.
>> Someone would have any idea how I could create an access control list
>> for this
> I can provide an idea, but not a working solution :-)
> You may create  a set access rule that only allows write access to an
> entry if attribute value of creatorsName corresponds to present
> authenticated user.
> Unfortunately there is almost no information available on sets, but
> you may search the archiv of openldap-software mailinglist and
> http://www.openldap.org/faq/data/cache/1133.html
> http://www.openldap.org/faq/data/cache/1134.html
> -Dieter


why use sets? He could just use a filter in <what>, like this:

   access to filter="(creatorsName=cn=admin1,dc=domain,dc=com)"
       by dn="cn=admin1,dc=domain,dc=com" write
       by * read

   access to filter="(creatorsName=cn=admin2,dc=domain,dc=com)"
       by dn="cn=admin2,dc=domain,dc=com" write
       by * read

Christian Manal