[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 and ACL



> Emmanuel Blot writes:
>> I'd like to give different access rights depending on the 'gid' value.
>>
>> gid>=10, user can write maildrop and cn
>> gid>=2, user can write maildrop, but can only read cn
>>
>> What kind of ACL rules can I use to implement this kind of control ?
>> Is there some rules for <who> that will be something like "by filter =
>> (group>=8)" ... ??
>
> I don't see how.  Both filter= and attrs= are in the <what> part of
> ACLs, and I don't think <what> can have several components.
> I think you'll have to use ACIs.

By using "break" one can have ACL checking continues to other
access statements; if you can write several <what> parts that
end up in what you need, then it's done (but it's still a
nightmare...)

Ando

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it