directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eugen Paraschiv <>
Subject Re: regarding ACI
Date Thu, 10 Jul 2008 06:55:19 GMT
I have tried to export my DIT as LDIF so I can send it, but with no 
success. I simply exported the tree, connecting as the admin (so that 
there are no problems with ACI), with the filter (objectClass=*) and 
with the scope set to subtree. The only information in the exported ldif 
is one entry (the access control subentry) and then it stops. There is 
no trace of my structure, so I will try to describe it again. The 
structure (and the ideea) is simple:
I want my members to be able to have their own private address books. To 
achive this, I simply added in each member (ex. cn=Joan Baez) a subentry 
(ou=contacts). In there, I then added some sample contacts 
(cn=Contact1); so the structure is simply: member-contacts-contact1...
What I would like to do is bind with a member and see that he indeed has 
access not only to his own entry, but to all the sub entries in his 
entry (so he evidently has access to his own address book).
This was my only idea as to how I could implement a private address 
book, not in a completely inelegant structure. I first though this to be 
the default behavior of ACI, that is when I gave access to an entry I 
implicitly gave access to it's substructure as well, but it seems not to 
be so.
One solution would of course be to define a subtree, with the entry of 
the member as a root and spanning a couple of levels down, and then give 
the user access to that. But to do this, I have to define the subtree 
relative to the root of the user with which I bind, so that I only have 
to define one rule for all the members, as opposed to defining each 
subtree by hand, for each member, and then defining a rule for every 
member, which will be completely unpractical of course. There is a way 
to reference the entry of the member with which I bind (the 'This 
Entry'), but, seeing the docs are a little behind, I have no idea how to 
work with this entry and then define a subtree with it as the root.
Now if this is not actually possible (I'm really hoping that's not the 
case), how would I go about structuring my users so that they can access 
their address books only? I could split the address book from the user, 
but I'd rather not, until I've exhausted all other options.
I have thought about another possible solution (if this is of any 
interest) by simply defining a groupOfNames or groupOfUniqueNames as the 
address book, but this type of entry seems to be unreadable by an email 
client (it should be, but it's not), so I cannot use it.
Thank you for your answers. Eugen.

Eugen Paraschiv, Java Developer
Grigore Alexandrescu 52
Bucharest, 010626, Romania
Tel: +40728-896170; 

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

View raw message