[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL group
Alexandre Garel a écrit :
lucie wermer a écrit :
Hi,
I have a directory in which people are in the branch "ou=People", and
groups in the branch "ou=groups".
I need an ACL to autorize an entry
"uid=manager,dc=org,dc=fr" to access to the entrees
that are member of a specific group.
Only this entry can access to the entrees from
"ou=people" that are in the group
"cn=VIP,ou=groups,dc=org,dc=fr"
I hope I am clear enough.
Thanks for any help!
It would be easier to make entries have an attribute employeeType (or
manager or whichever you want) attribute which would be set to VIP. So
your ACL rule would be :
access to dn.children="ou=people,dc=org,dc=fr"
filter="(employeeType=VIP)"
by "uid=manager,dc=org,dc=fr" write
by * none
There is the possibility to use groups but that's to specify the who
can access entry (and not which entry can be). So that's the contrary
of your problem.
I am not such an ACL expert , so I don't know if your original request
can be satisfied.
Alex.
I just post an hint to another message that shall also do for you. Well,
I just read it in Faq-o-matic, never tested such a thing but maybe it's
what you need. See set explanation at
http://www.openldap.org/faq/data/cache/452.html.
With set you can do :
access to dn.one="ou=people,dc=org,dc=fr"
by dn.exact="uid=manager,dc=org,dc=fr" set="this &
[cn=VIP,ou=groups,dc=org,dc=fr]/member" write
by * none
If I am understand well faq-o-matic, this check that user is the manager
and that the intersection of entry dn with the values of member
attribute in VIP group. (of course if you have, say, a
GroupOfUniqueNames you'll have to use uniqueMember instead of member)
It's just an hint, you should try if you like adventure. Maybe ACL guru
on the list could confirm
Alex.
- References:
- ACL group
- From: lucie wermer <luwermer@yahoo.fr>
- Re: ACL group
- From: "Alexandre Garel" <garel.alexandre@agora.msa.fr>