[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL for object creation in subtree with specific attributes and object classes

To: openldap-technical@openldap.org
Subject: ACL for object creation in subtree with specific attributes and object classes
From: Simeon Ott <simeon.ott@onnet.ch>
Date: Tue, 5 Aug 2014 09:41:36 +0200

Hello,

I'd like to refine my permission set of my openldap installation.
The tree structure is:
dc=mydomain
	- cn=admin (ldap admin)
	- ou=domains (customer domains)
		- ou=example1.com
			- cn=user1
			- cn=user2
			- cn=postmaster
		- ou=example2.com
			- cn=user1
			- cn=user2
			- cn=postmaster

The user postmaster is able to change specific attributes of objects in its own "domain" (one level up).

The current ACLs are defined as:

access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword  
	by dn.base="cn=admin,dc=mydomain" write
	by self write
	by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
	by anonymous auth
	by * none
access to attrs=userPassword
	by dn.base="cn=admin,dc=mydomain" write
	by self write
	by anonymous auth
	by * none
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=sn,description,vacationActive,vacationInfo,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
	by self write
	by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
	by * read
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$"
	by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
	by * read
access to * 
	by dn.base="cn=admin,dc=mydomain" write
	by * read

ACL rule 4 allows the postmaster to add objects to it's "domain" without any restrictions. How can i restrict the object creation to specific object classes and attributes? Let's say postmaster should only be able to add objects like the following:

dn: cn=user3,ou=example2.com,ou=domains,dc=mydomain
objectClass: CourierMailAccount
objectClass: inetOrgPerson
objectClass: top
objectClass: Vacation
cn: user3
homeDirectory: user3/example2.com/
mail: user.3@exampl2.com
sn: User3
vacationActive: TRUE
gidNumber: 5000
smtpRelayFlag: 1
uidNumber: 5000
userPassword:: <crypted password>
vacationInfo:: <binary data>

I didn't find such an approach in Faq-O-Matic nor the manuals
Thanks in advance for any advice

Follow-Ups:
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: RE: ACL doesn't work on my Centos 6
Next by Date: Re: ACL for object creation in subtree with specific attributes and object classes
Index(es):
- Chronological
- Thread