<quote who="Zhang Weiwu"> > Dear list > > I've posted this question before. Maybe it's my bad English but I didn't > get a solution nor an answer of "it's impossible" too so I just post > again (yes I knew people answer me for free and for being kind and I am > really thankful for all feedback) > > Is it possible to define ACL that every user who successfully bind-ed > (logged in) that this user can modify their own entry as well as the sub > entries of them? > > e.g. > dn: ou=support,xxx > > if one connection is bind to this dn, it can modify these entries: > > dn: cn=Wang Penghui,ou=support,xxx > dn: cn=Zhang Weiwu,ou=support,xxx > > Now we have some 3000 people who can login to the LDAP database and each > are logged in as an entry which is organization or organizationalUnit. > They all need to be able to modify entries within their own organization > or organizationalUnit. > > I know how to define one ACL rule for one to be able to modify an entry > and its subtree, but in my case I need to define 3000 ACL rules (and > this number is still growing). Can such permission requirement be > defined within limited number of ACL rules?
Just use regular expression (dn.regex) and capture the users cn, cn=(.*), and ou=support,(.*) then use $1 and $2. man slapd.access > > Best Regards > -- > Zhang Weiwu > Real Softservice > http://www.realss.com > +86 592 2091112 > >
