[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL group



Alexandre Garel a écrit :

lucie wermer a écrit :

Hi,
I have a directory in which people are in the branch "ou=People", and groups in the branch "ou=groups".
I need an ACL to autorize an entry
"uid=manager,dc=org,dc=fr" to access to the entrees
that are member of a specific group.
Only this entry can access to the entrees from
"ou=people" that are in the group
"cn=VIP,ou=groups,dc=org,dc=fr"


I hope I am clear enough.
Thanks for any help!


It would be easier to make entries have an attribute employeeType (or manager or whichever you want) attribute which would be set to VIP. So your ACL rule would be :
access to dn.children="ou=people,dc=org,dc=fr" filter="(employeeType=VIP)"
by "uid=manager,dc=org,dc=fr" write
by * none


There is the possibility to use groups but that's to specify the who can access entry (and not which entry can be). So that's the contrary of your problem.
I am not such an ACL expert , so I don't know if your original request can be satisfied.
Alex.


I just post an hint to another message that shall also do for you. Well, I just read it in Faq-o-matic, never tested such a thing but maybe it's what you need. See set explanation at http://www.openldap.org/faq/data/cache/452.html.
With set you can do :


access to dn.one="ou=people,dc=org,dc=fr"
by dn.exact="uid=manager,dc=org,dc=fr" set="this & [cn=VIP,ou=groups,dc=org,dc=fr]/member" write
by * none


If I am understand well faq-o-matic, this check that user is the manager and that the intersection of entry dn with the values of member attribute in VIP group. (of course if you have, say, a GroupOfUniqueNames you'll have to use uniqueMember instead of member)
It's just an hint, you should try if you like adventure. Maybe ACL guru on the list could confirm
Alex.