----- "fathi engineer" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> In the proccess of setting up an openldap server as a pgp key server,
> I want to grant access to every authenticated user to create a new
> entry in a subtree of the basedn and every body to read entries in
> that subtree but only creator to be able to modify his entries.
>
> I tried with the following (unsuccessfully):
>
> access to dn.children="ou=PGP Keys,o=SNCFT,c=TN"
> by dn.regex="^uid=([^,]+),(ou=[^,]+,)+ou=Users,o=SNCFT,c=TN$"
> selfwrite
> by dn.regex="^uid=([^,]+),ou=Users,o=SNCFT,c=TN$" write
> by * read
>
> and also
> by dnattr=owner selfwrite
> by users write
> by * read
>
> but none worked.
>
> I am running openldap-2.3.27-8.el5_2.4
Did you read slapd.access(5)? Did you read the requirements for the add and
modify operations? You need to add access to "entry" to allow entry addition;
you need to add access to attributes to allow their modification. And "owner"
is a specific attribute of some objectClasses; unless you're creating those
objects with the correct "owner" value, the creator will not be able to write
them. You should use
by dnattr=creatorsName write
The "self" is not needed; it refers to a user writing to a target corresponding
to its own name, or to an attribute whose value consists in its own name.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: [EMAIL PROTECTED]
-----------------------------------
