On Tue, 2007-05-15 at 17:08 +0200, Hallvard B Furuseth wrote: > Zhang Weiwu writes: > > Is it possible to define ACL that every user who successfully bind-ed > > (logged in) that this user can modify their own entry as well as the sub > > entries of them? > > > > e.g. > > dn: ou=support,xxx > > > > if one connection is bind to this dn, it can modify these entries: > > > > dn: cn=Wang Penghui,ou=support,xxx > > dn: cn=Zhang Weiwu,ou=support,xxx > > Something like this: > > access to attrs=userPassword > by self =wx > by * auth > > access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$" > by dn.expand="$2" write > by * read > > Since you must first say what to access and then who should get access > to it, this variant depends on getting the regex for who can access > things exactly right. > > This prevents 'ou' users from changing someone else's userPassword though. > So you can put this at the top to combine the two accesses: > > access to attrs=userPassword dn.regex="^(.+,)?(ou?=[^,]+,xxx)$" > by self write > by dn.expand="$2" write > by * read > > Or you could do something like this (untested): > > access to * by * read break > > access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$" > by dn.expand="$2" write break > by * +0 break > > access to attrs=userPassword > by self =wx > by * -rscd > > access to * by * +0 > > The 'break' means to go on and process the next access statements even > when the 'to' matches the entry being accessed. '+' and '-' means to > add or subtract from the access already granted. The final access > matches everything and stops the default access rules to be used, > so things done with 'break' does not get overridden unexpectedly.
Thanks very much for this very detailed and helpful answer! I think now I am very close to getting my system configured :)
