[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs, groups, and regular expressions... oh my
Понедельник 10 Март 2003 22:52, Howard Chu написал:
> > -----Original Message-----
> > From: Howard Chu [mailto:hyc@highlandsun.com]
> >
> > You will have to explicitly list all of the groups that you
> > want to give access to. Alternately, you can create a nesting
> > group, a group whose members are all the other groups in the
> > directory. Then you'll have to use the set syntax:
> > access to *
> > by set="[cn=metagroup,dc=example,dc=com]/member*" read
>
> ACL sets are explained here http://www.openldap.org/faq/data/cache/452.html
> The above ACL is probably better written as
> access to *
> by set="[cn=metagroup,dc=example,dc=com]/member* & user" read
>
> Regardless, it will be fairly expensive to evaluate, as it recursively
> searches the directory to expand all of the members of the set. You're
> better off just explicitly listing your groups.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
Thank You very much!
I'v solved my problem with access to passwords (userPassword, ntPassword,
lmPassword) from group of sysAdmins, using "set" clause.
There is:
access to attr=userPassword,ntPassword,lmPassword
by self write
by cn="Manager,dn=example,dc=com" write
by set="[cn=Domain Admins,ou=Group,dc=example,dc=com]/memberUid & uid/user"
write
by * none
It works now!
Thank You again!
Best regards. Sergios