Re: Another approach to a previous question

[Dieter Kluenter <dieter@dkluenter.de>]

Daniel Henninger <daniel@unity.ncsu.edu> writes:

> For a different approach to this issue, I already have a tree called
> ou=hosts,dc=ncsu,dc=edu.  This has host specific "configuration" type
> information.  Currently, it only has what groups are allowed and not
> allowed into the machine.  I was going to add printers to this, so you
> can assign printers based off their entry in LDAP.  So lets pretend I
> have an entry called:
> cn=skippy.unity.ncsu.edu,ou=hosts,dc=ncsu,dc=edu
> and it has:
> ncsuAssignedPrinter: dhl-2413-1
> ncsuAssignedPrinter: dhl-2413-2
> ncsuAssignedPrinter: dhl-2413-color1
> ncsuAssignedPrinter: dhl-2413-private-printer
>
> Is there any way I could limit access to the private printer tree
> based off that?  In other words, "unless you are coming from skippy,
> you don't get to see the entry for dhl-2413-private-printer" in
> ou=private,ou=printers,dc=ncsu,dc=edu.  Something like:
>
> access to dn.regex="printer-name=(.*),ou=private,ou=printers,dc=ncsu,dc=edu
>  	by (host, where host has $1 listed in it's ncsuAssignedPrinter)

man slapd.access(5)
the <who> field

something like (not tested yet)
access to
    dn.regex=printer-name=([^,]+),ou=private... attrs=ncsuAssignedPrinter val.regex=(.+)
  by domain.exact,expand=$2.example.com


you probabely should allow reverse lookup to make it work.

-Dieter

-- 
Dieter Klünter | Systemberatung
Tel.: +49.40.64861967
Fax : +49.40.64891521
http://www.avci.de