[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs on OUs and their children/leaves
Markus Wernig wrote:
I can't find an indication of what version of the software you're using,
so helping you might be a problem because ACLs have been evolving quite
a bit.
This seems clear, so far. What I'm not getting into my head is: how to
set ACLs on group-{1:n} in such a way that only those who bind to the
server with a DN of "ou=group-{X},ou=users,dc=domain,dc=tld" and the
userPassword set for group-{X} can read/write the entries
(inetorgPerson) in that OU. The problem is that there is no real naming
convention for the groups (not regex-able),
??? see below.
and that they tend to be
rather dynamic. Plus: There's no way of retricting access to certain,
static names that I could predefine in an ACL, so I think I need a
dynamic approach.
I've tried the following (in slapd.conf), which generates a slapd
startup error and failure:
# ACLs
access to attrs=userPassword
~ by self write
~ by * auth
access to *
~ by self write
~ by users search
access to dn.sub="ou=users,dc=domain,dc=tld"
~ by dnattr="ou" write
This is wrong because, as the name says, you need to set "dnattr" to an
attribute that is DN-valued (or nameAndOptionalUID-valued, like
uniqueMember). The solution to your problem is:
access to dn.regex="(.+,)?(ou=[^,]+,ou=users,dc=domain,dc=tld)$"
by dn.exact,expand="$2" write
i.e. grab the terminal portion of the DN and use it to compare with the
identity of the operation.
Use
access to dn.regex="(.+,)?(ou=[^,]+,ou=users,dc=domain,dc=tld)$"
by dn.regex="^$2$$" write
with older versions of the software.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497