Am Tue, 5 Aug 2014 09:41:36 +0200 schrieb Simeon Ott <[email protected]>:
> Hello, > > I'd like to refine my permission set of my openldap installation. > The tree structure is: > dc=mydomain > - cn=admin (ldap admin) > - ou=domains (customer domains) > - ou=example1.com > - cn=user1 > - cn=user2 > - cn=postmaster > - ou=example2.com > - cn=user1 > - cn=user2 > - cn=postmaster > > The user postmaster is able to change specific attributes of objects > in its own "domain" (one level up). > > The current ACLs are defined as: > > access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" > attrs=userPassword by dn.base="cn=admin,dc=mydomain" write > by self write > by > dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by > anonymous auth by * none > access to attrs=userPassword > by dn.base="cn=admin,dc=mydomain" write > by self write > by anonymous auth > by * none > access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" > attrs=sn,description,vacationActive,vacationInfo,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title > by self write by > dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by > * read access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" > by > dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by > * read access to * > by dn.base="cn=admin,dc=mydomain" write > by * read > > ACL rule 4 allows the postmaster to add objects to it's "domain" > without any restrictions. How can i restrict the object creation to > specific object classes and attributes? Let's say postmaster should > only be able to add objects like the following: [...] man slapd.access(5), the <WHAT> field: @<objectClass> -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
