[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Another approach to a previous question
Daniel Henninger <daniel@unity.ncsu.edu> writes:
> For a different approach to this issue, I already have a tree called
> ou=hosts,dc=ncsu,dc=edu. This has host specific "configuration" type
> information. Currently, it only has what groups are allowed and not
> allowed into the machine. I was going to add printers to this, so you
> can assign printers based off their entry in LDAP. So lets pretend I
> have an entry called:
> cn=skippy.unity.ncsu.edu,ou=hosts,dc=ncsu,dc=edu
> and it has:
> ncsuAssignedPrinter: dhl-2413-1
> ncsuAssignedPrinter: dhl-2413-2
> ncsuAssignedPrinter: dhl-2413-color1
> ncsuAssignedPrinter: dhl-2413-private-printer
>
> Is there any way I could limit access to the private printer tree
> based off that? In other words, "unless you are coming from skippy,
> you don't get to see the entry for dhl-2413-private-printer" in
> ou=private,ou=printers,dc=ncsu,dc=edu. Something like:
>
> access to dn.regex="printer-name=(.*),ou=private,ou=printers,dc=ncsu,dc=edu
> by (host, where host has $1 listed in it's ncsuAssignedPrinter)
man slapd.access(5)
the <who> field
something like (not tested yet)
access to
dn.regex=printer-name=([^,]+),ou=private... attrs=ncsuAssignedPrinter val.regex=(.+)
by domain.exact,expand=$2.example.com
you probabely should allow reverse lookup to make it work.
-Dieter
--
Dieter Klünter | Systemberatung
Tel.: +49.40.64861967
Fax : +49.40.64891521
http://www.avci.de