[LUGOS] ldap - acl
Tomaz Kravcar
tomaz at afna.info
Wed Jun 28 03:26:24 CEST 2006
Zivjo,
imam sledeco strukturo v ldap direktoriju:
dc=com
|
dc=example
|
--------------------------------------------------------
/ \ \
ou=users ou=addressbook cn=admin
/ \
uid(1) uid(2)...
/ \
ou=addressbook ou=addressbook
cilj je naslednji:
- vsi uporabniki lahko pisejo v (ou=addressbook,dc=example,dc=com),
- vsak uporabnik ima svoj privatni imenik do katerega ima dostop samo on
(ou=addressbook,uid=(.*),ou=users,dc=example,dc=com).
Vse deluje bp, razen pri dostopu do privatnega imenika (#PRIVATE
ADDRESSBOOK), ki ga vidim samo ce se logiram kot cn=admin,dc=example,dc=com.
######## slapd.conf ##########
...
#PASSWORDS
access to attrs=userPassword
by dn="cn=admin,dc=example,dc=com" write
by self write
by anonymous auth
by * none
#PRIVATE ADDRESSBOOK
#access to dn.regex="^ou=addressbook,uid=([^,]+),ou=users,dc=example,dc=com$"
access to dn.subtree="ou=addressbook,uid=(.*),ou=users,dc=example,dc=com"
by dn="uid=$1,ou=users,dc=example,dc=com" write
by * read
access to dn.subtree="ou=addressbook,uid=(.*),ou=users,dc=example,dc=com"
by dn="uid=$1,ou=users,dc=example,dc=com" write
by * none
#ADDRESSBOOK
access to dn.subtree="ou=addressbook,dc=example,dc=com"
by users write
by anonymous none
access to *
by dn="cn=admin,dc=example,dc=com" write
by * none
defaultaccess none
...
###########################
lp, tomaz
More information about the lugos-list
mailing list