[EMAIL PROTECTED] wrote: > Prendendo come riferimento la seguente struttura: > > o=ditta,c=it > | > °----°Rubrica > | | > | °----cn=admin > | | > | °----Amministrazione > | | | > | | °----cn=admin > | | > | °----Vendite > | | | > | | °----cn=admin > | | > | °----Magazino > | | > | °----cn=admin > | > °----Altro > > e di seguto riportato l'ACL inserita in slapd.conf: > > access to dn.subtree="ou=Amministrazione,ou=Rubrica,o=ditta,c=it" > by dn="cn=admin,ou=Amministrazione,ou=Rubrica,o=ditta,c=it" write > by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write > by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write > by dn="cn=admin,ou=Rubrica,o=ditta,c=it" write > by dn="cn=anonymous,o=ditta,c=it" read > by self write > by anonymous auth > > access to dn.subtree="ou=Vendite,ou=Rubrica,o=ditta,c=it" > by dn="cn=admin,ou=Vendite,ou=Rubrica,o=ditta,c=it" write > by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write > by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write > by dn="cn=admin,ou=Rubrica,o=ditta,c=it" write > by dn="cn=anonymous,o=ditta,c=it" read > by self write > by anonymous auth > > access to dn.subtree="ou=Magazino,ou=Rubrica,o=ditta,c=it" > by dn="cn=admin,ou=Magazino,ou=Rubrica,o=ditta,c=it" write > by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write > by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write > by dn="cn=admin,ou=Rubrica,o=ditta,c=it" write > by dn="cn=anonymous,o=ditta,c=it" read > by self write > by anonymous auth > > access to dn.subtree=",ou=Rubrica,o=ditta,c=it" > by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write > by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write > by dn="cn=admin,ou=Rubrica,o=ditta,c=it" write > by dn="cn=anonymous,o=ditta,c=it" read > by self write > by anonymous auth > > e tenuto conto che per ogni cn=admin e' impostata anche una userPassword. > > La domanda e': > > 1) e' possibile inserire un utente cn=admin nel db che abbia i privileggi > di scrittura nel suo ramo di pertinenza senza dover senpre aggiornare > le ACL nel file slapd.conf. > > 2) se si prendendo in riferimento la struttura su riportata e' possibile > fare un esempio.
Si, si: # accesso ai sotto-rami; in particolare, cn=admin del sotto-ramo # ha accesso in scrittura access to dn.regex="(.+,)?ou=([^,]+),ou=Rubrica,o=ditta,c=it" by dn.expand="cn=admin,$2,ou=Rubrica,o=ditta,c=it" write by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write by dn="cn=anonymous,o=ditta,c=it" read by self write by anonymous auth # accesso a tutto il resto che non e' intercettato dalla regola # sopra; in particolare, ci sono glu stessi "by" tranne il cn=admin # del sotto-ramo. access to dn.subtree="ou=Rubrica,o=ditta,c=it" by dn.subtree="cn=admin,ou=Rubrica,o=ditta,c=it" write by dn="cn=admin,ou=elenchinlinea,ou=Rubrica,o=ditta,c=it" write by dn="cn=anonymous,o=ditta,c=it" read by self write by anonymous auth Ciao, p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] ---------------------------------------
_______________________________________________ OpenLDAP mailing list OpenLDAP@sys-net.it https://www.sys-net.it/mailman/listinfo/openldap