Am Thu, 6 Sep 2012 13:35:56 +0200 schrieb Denny Schierz <[email protected]>:
> hi, > > I have the following structure: > > cn=foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo > cn=foobar1,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo > cn=foobar2,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo > > cn=foobar likes like: > > dn: > foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo > objectClass: inetLocalMailRecipient objectClass: person > objectClass: top > cn: admin > sn: admin > description: added_by_dekanat > mailLocalAddress: [email protected] > mailRoutingAddress: [email protected] > > At the moment I have one role "mail" that has access to: > > dn.sub="ou=mail,ou=services,ou=department,dc=domain,dc=foo" read > > it works as expected, the mailserver can read all entries. > > Now I want to create a role, who has permissions to delete/add/modify > all entries below ou=aliases, from all domains > (dc=domain,ou=mail...), but only, if "description: <string>" is found > (for delete/modify only, but not for add). > > Is that possible? This can be achieved by sets http://www.openldap.org/faq/data/cache/1134.html http://www.openldap.org/faq/data/cache/1132.html http://www.openldap.org/faq/data/cache/1133.html -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
