[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: set=<setspec>

To: openldap-software@OpenLDAP.org
Subject: Re: set=<setspec>
From: Christoph Neumann <enigma@apu.edu>
Date: Wed, 30 Jan 2002 10:38:33 -0800 (PST)
In-reply-to: <Pine.LNX.4.44.0201300853040.8517-100000@home.apu.edu>

Ah ha!  The syntax changed.  Referencing attributes is performed by "/"  
instead of ".".  The rule needs to look like this:

access to dn.subtree="ou=Test,dc=apu,dc=edu"                                  
  by set="[cn=TestGroup,dc=apu,dc=edu]/uniqueMember & user" read              
  by * none

- Christoph


On Wed, 30 Jan 2002, Christoph Neumann wrote:

> I cannot get the "set=<setspec>" access control directive to work.  I have 
> read through the note at:
> 
> http://www.openldap.org/faq/data/cache/452.html
> 
> I have a rule that says this:
> 
> access to dn.subtree="ou=Test,dc=apu,dc=edu"
>   by set="[cn=TestGroup,dc=apu,dc=edu].uniqueMember & user" read
>   by * none
> 
> Where "cn=TestGroup" is a groupOfUniqueNames.
> 
> If I bind as a user listed in "TestGroup", I cannot read any information
> in the "Test" tree.  Do I have the syntax incorrect?  Does anyone have a
> good example of this that they have gotten working?
> 
> I understand that I can perform this type of access control with the
> "group"  directive instead of the "set" directive.  I'm mainly interested
> in understanding the syntax "set" directive and how it works--especially
> the recursive lookups.
> 
> - Christoph

References:
- set=<setspec>
  - From: Christoph Neumann <enigma@apu.edu>

Prev by Date: set=<setspec>
Next by Date: C programming with OpenLDAP
Index(es):
- Chronological
- Thread