Novell Home

Why Upgrade to 8.7? How About [This]?

Novell Cool Solutions: Feature
By Israel Forst

Digg This - Slashdot This

Posted: 22 Nov 2002
 

If you attended BrainShare 2002 you may have attended session IO307 titled "Introduction to the Hot New LDAP Features in eDirectory 8.7". In this session (you can download the presentation here), Gary Anderson and Alan Clark talked about a new feature in eDirectory that allows a programmer using LDAP (or an administrator armed with iManager) to quickly and easily give users the ability to modify certain attributes in their own user object.

The example that Gary and Alan give in their presentation has a system administrator asking "how do I give my users the ability to update their own phone numbers in the directory?

The answer they give is: Apply read, compare, and write rights to [This] for the telephoneNumber attribute high up in the tree and let each user inherit the right to modify this attribute in their own object.

Since BrainShare, Solution Support Lead Israel Forst has been taking advantage of these new features extensively. Here are a few of his secrets:

[Self]

The [Self] ACL is simply an macro, if you will, that refers to the object itself. Rather than use the DN of the object in the ACL you can reference [Self]. Here are a couple examples:

dn: cn=student1, ou=sections, o=Atlanta
changetype: modify
add: ACL
ACL: 7#entry#cn=student1, ou=sections, o=Atlanta#[title]

or

dn: cn=student1, ou=sections, o=Atlanta
changetype: modify
add: ACL
ACL: 7#entry#[self]#[title]

They both do the same thing. If you are bulk generating LDIF files it is much easier to do it with [self] rather than reference the full DN of the object.

[This]

The [This] ACL is much cooler. Say you wanted to grant all users in a tree rights to change their own title. Since the ACL resides on each object you would need to modify each object and add the [Self] ACL to each user like this:

dn: cn=student1, ou=sections, o=Atlanta
changetype: modify
add: ACL
ACL: 7#entry#[self]#[title]

The problem is you need to do this to each and every object in the tree. So your next option is to grant the rights at the O and have it flow down. The problem then is that everyone in the tree can change everyone else's title. So that won't work. What [This] can do is allow you to set the ACL at O=Atlanta and have it inherit down so that you only modify a single ACL, however, the ACL does not grant rights to the O and thereby granting rights for every user to change every other users object. Rather, it grants each user rights to their own object. Here is what that would look like in an LDIF

dn: o=Atlanta
changetype: modify
add: ACL
ACL: 7#subtree#[This]#title

You can read more about [This] in the iManager documentation pages located at http://www.novell.com/documentation/lg/imanage15/index.html?page=/documentation/lg/imanage15/imanage/data/ai34ax5.html


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell