> I need user to be able to add subentry bellow his own entry.
>
> In this structure:
>
> dc=cz
> ou=People
> uid=test1
> dc=123 ??
> uid=test2
>
> How to write ACI that test1 could add only under his own entry? Sadly
> (target = "ldap:///self") is not permited.
>
> Any idea how to write ACI at level of ou=People?
I have found solution:
(targetfilter =
"(&(objectclass=appPassword)(!(objectClass=inetOrgPerson)))") (version
3.0;acl "appPassword parrent (add, delete)";allow (add,delete)(userdn =
"ldap:///parent");)
and one more to hide added entries from everyone except of parent:
(targetattr = "*")(targetfilter = "(objectclass=appPassword)")
(version 3.0;acl "appPassword hide except parent";deny (all)
(userdn ="ldap:///anyone" and not userdn = "ldap:///parent");)
:)
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
No comments:
Post a Comment