特定条目的Openldap访问控制
Openldap access control for specific entry
是否可以限制对目录中特定条目的访问?
例如,我有以下条目:
dn: ou=Contacts,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Contacts
dn: uid=3.0,ou=Contacts,dc=test,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: Contact
uid: 3.0
sn: contact1
cn: contact1
telephoneNumber: 43534216576767
street: street test1
ou: contactType1
givenName: contact1
mail: contact1@test.org
mobile: 62346254365243
o: contact1
displayName: contact1
dn: uid=4.0,ou=Contacts,dc=test,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: Contact
uid: 4.0
sn: contact2
cn: contact2
telephoneNumber: 4353421655246
street: street test2
ou: contactType2
givenName: contact2
mail: contact2@test.org
mobile: 62346254365243
o: contact2
displayName: contact2
有没有办法只限制具有属性 "ou: contactType1" 的条目的访问?
这是 ACL:
access to dn.regex="uid=[^,]+,ou=Contacts,dc=test,dc=com"
by set="this/ou & user/employeeType" read
by * none
读取权限授予属性 "employeeType" 等于联系人的 "ou" 属性的用户。如有不妥请指正
是否可以限制对目录中特定条目的访问? 例如,我有以下条目:
dn: ou=Contacts,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Contacts
dn: uid=3.0,ou=Contacts,dc=test,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: Contact
uid: 3.0
sn: contact1
cn: contact1
telephoneNumber: 43534216576767
street: street test1
ou: contactType1
givenName: contact1
mail: contact1@test.org
mobile: 62346254365243
o: contact1
displayName: contact1
dn: uid=4.0,ou=Contacts,dc=test,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: Contact
uid: 4.0
sn: contact2
cn: contact2
telephoneNumber: 4353421655246
street: street test2
ou: contactType2
givenName: contact2
mail: contact2@test.org
mobile: 62346254365243
o: contact2
displayName: contact2
有没有办法只限制具有属性 "ou: contactType1" 的条目的访问?
这是 ACL:
access to dn.regex="uid=[^,]+,ou=Contacts,dc=test,dc=com"
by set="this/ou & user/employeeType" read
by * none
读取权限授予属性 "employeeType" 等于联系人的 "ou" 属性的用户。如有不妥请指正