Hello,
I'd like to refine my permission set of my openldap installation.
The tree structure is:
dc=mydomain
- cn=admin (ldap admin)
- ou=domains (customer domains)
- ou=example1.com
- cn=user1
- cn=user2
- cn=postmaster
- ou=example2.com
- cn=user1
- cn=user2
- cn=postmaster
The user postmaster is able to change specific attributes of objects in its own
"domain" (one level up).
The current ACLs are defined as:
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword
by dn.base="cn=admin,dc=mydomain" write
by self write
by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
by anonymous auth
by * none
access to attrs=userPassword
by dn.base="cn=admin,dc=mydomain" write
by self write
by anonymous auth
by * none
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$"
attrs=sn,description,vacationActive,vacationInfo,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
by self write
by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
by * read
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$"
by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
by * read
access to *
by dn.base="cn=admin,dc=mydomain" write
by * read
ACL rule 4 allows the postmaster to add objects to it's "domain" without any
restrictions. How can i restrict the object creation to specific object classes
and attributes? Let's say postmaster should only be able to add objects like
the following:
dn: cn=user3,ou=example2.com,ou=domains,dc=mydomain
objectClass: CourierMailAccount
objectClass: inetOrgPerson
objectClass: top
objectClass: Vacation
cn: user3
homeDirectory: user3/example2.com/
mail: [email protected]
sn: User3
vacationActive: TRUE
gidNumber: 5000
smtpRelayFlag: 1
uidNumber: 5000
userPassword:: <crypted password>
vacationInfo:: <binary data>
I didn't find such an approach in Faq-O-Matic nor the manuals
Thanks in advance for any advice
