[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs, groups, and regular expressions... oh my



Понедельник 10 Март 2003 22:52, Howard Chu написал:
> > -----Original Message-----
> > From: Howard Chu [mailto:hyc@highlandsun.com]
> >
> > You will have to explicitly list all of the groups that you
> > want to give access to. Alternately, you can create a nesting
> > group, a group whose members are all the other groups in the
> > directory. Then you'll have to use the set syntax:
> > 	access to *
> > 	  by set="[cn=metagroup,dc=example,dc=com]/member*" read
>
> ACL sets are explained here http://www.openldap.org/faq/data/cache/452.html
> The above ACL is probably better written as
> 	access to *
> 	  by set="[cn=metagroup,dc=example,dc=com]/member* & user" read
>
> Regardless, it will be fairly expensive to evaluate, as it recursively
> searches the directory to expand all of the members of the set. You're
> better off just explicitly listing your groups.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
Thank You very much!
I'v solved my problem with access to passwords (userPassword, ntPassword, 
lmPassword) from group of sysAdmins, using "set" clause.
There is: 
access to attr=userPassword,ntPassword,lmPassword
	by self	write
	by cn="Manager,dn=example,dc=com"	write
	by set="[cn=Domain Admins,ou=Group,dc=example,dc=com]/memberUid & uid/user"
 write
	by * none
It works now!
Thank You again!
Best regards. Sergios