[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACLs, groups, and regular expressions... oh my

To: <elviscious@rmci.net>
Subject: RE: ACLs, groups, and regular expressions... oh my
From: "Howard Chu" <hyc@highlandsun.com>
Date: Mon, 10 Mar 2003 13:52:07 -0800
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to:

> -----Original Message-----
> From: Howard Chu [mailto:hyc@highlandsun.com]

> You will have to explicitly list all of the groups that you
> want to give access to. Alternately, you can create a nesting
> group, a group whose members are all the other groups in the
> directory. Then you'll have to use the set syntax:
> 	access to *
> 	  by set="[cn=metagroup,dc=example,dc=com]/member*" read

ACL sets are explained here http://www.openldap.org/faq/data/cache/452.html
The above ACL is probably better written as
	access to *
	  by set="[cn=metagroup,dc=example,dc=com]/member* & user" read

Regardless, it will be fairly expensive to evaluate, as it recursively
searches the directory to expand all of the members of the set. You're better
off just explicitly listing your groups.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: ACLs, groups, and regular expressions... oh my
  - From: tsg <tsg@bugalux.com>

Prev by Date: RE: ACLs, groups, and regular expressions... oh my
Next by Date: FW: problem starting ldap daemon, sta
Index(es):
- Chronological
- Thread