On 05.08.2014, at 11:39, Dieter Klünter <[email protected]> wrote:
> Am Tue, 5 Aug 2014 09:41:36 +0200 > schrieb Simeon Ott <[email protected]>: > >> […] >> by >> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by >> * read access to * >> by dn.base="cn=admin,dc=mydomain" write >> by * read >> >> ACL rule 4 allows the postmaster to add objects to it's "domain" >> without any restrictions. How can i restrict the object creation to >> specific object classes and attributes? Let's say postmaster should >> only be able to add objects like the following: > [...] > man slapd.access(5), the <WHAT> field: @<objectClass> > > -Dieter > Thanks Dieter, I tried the following already … instead of rule 3 and 4 i used the following: access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,vacationInfo,smtpRelayFlag,description,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch" write by * read access to dn.regex="^ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=intra,dc=onnet,dc=ch" write by * read As postmaster I'm still able to add objects to it's domain. But I'm also able to add other objectclasses and attributes. I think I mess around with the attributes entry and children – anyone help me cleaning up? :-)
