[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access control for multiple admins
On 10/07/10 08:50, Dieter Kluenter wrote:
> Luiz Marcelo <85marcelo@gmail.com> writes:
>
>> Hello everyone!
>>
>> Good, I have a scenario where two directors write on the same basis, eg
>>
>> "cn=admin1,dc=domain,dc=com" and
>> "cn=admin2,dc =domain,dc=com"
>>
>> In a general scope, both have written permission from the base. However,
>> assuming the user admin1 adds the entry:
>> "uid=john,ou=people,dc=domain,dc=com", only the admin1 user can modify
>> this entry, so each admin should only modify their own entries created
>> in any part of the base.
>>
>> Someone would have any idea how I could create an access control list
>> for this
>
> I can provide an idea, but not a working solution :-)
> You may create a set access rule that only allows write access to an
> entry if attribute value of creatorsName corresponds to present
> authenticated user.
> Unfortunately there is almost no information available on sets, but
> you may search the archiv of openldap-software mailinglist and
> http://www.openldap.org/faq/data/cache/1133.html
> http://www.openldap.org/faq/data/cache/1134.html
I thought this scenario would make a good example, but reading through
these FAQ entries I see that this exact situation is already documented:
http://www.openldap.org/faq/data/cache/1140.html
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------