Hi, On Tuesday 06 April 2004 17:01, [EMAIL PROTECTED] wrote: > In a message dated: Tue, 06 Apr 2004 16:06:14 +0200 > Peter Marschall said: > >Better use a configration file on the client side that determines the > > relation between the user's authorisation and the attributes the user is > > allowed to change. > > Hmmm, perhaps my client could just parse the slapd.conf file directly then? > That might solve my problem.
That only works if you habe the client and OpenLDPA on the same machine (and do not use in-dire tory ACIs). When used on different machines you need to distribute it to the clients on every change. > >Of course you may also create special LDAP attributes/entries for that > >purpose. > > Hmmm, I'm beginning to wonder if editing LDAP directly is even a good > idea. Perhaps I should move all this stuff directly to an RDB and > populate LDAP from that instead :( The company I fork for uses quite a lot applications that write to the LDAP directory. Most of the are quite inflexible and do not read authorization information from the directory. The solution for them was an AUXILIARY objectclass authorizationGroup with an attribute mayWriteTo (of course the original names are different) and add this objectclass to a groupOfNames. dn: cn=Managers, ... objectclass: groupOfNames objectclass: authorizationGroup mayWriteTo: manager mayWriteTo: secretary member: cn=The Big Boss, .... With this setup one can find out in one search request which attributes The BigBoss is allowed to write. Hope it helps Peter -- Peter Marschall eMail: [EMAIL PROTECTED]
