[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: working whith sets

To: ldap@fadesa.es
Subject: Re: working whith sets
From: Lee Jensen <lee_jensen@sento.com>
Date: Thu, 17 Mar 2005 07:35:42 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <42396CA3.7C881907@fadesa.es>
References: <42396CA3.7C881907@fadesa.es>

It's actually relatively simple

access to dn.subtree="ou=people,dc=domain"
  filter="(personRole=staff)"
  by set="user/personRole & [admin]" write

that should work just fine.

One of the reasons this likely doesn't work is
by set="( this/personRole & [staff]  ) & ( user/personRole &
([admin]|[bofh]) )" write

because the & operator is used just like it would be in a binary
operation, not in a logical one. So it determines entries that are in
both the left and right set so what you end up with is a set comparison
like this:

(staff) & (admin|bofh)

Obviously those will never contain the same members and the & operator
will cause an empty list to be returned which is false in sets.

On Thu, 2005-03-17 at 12:40 +0100, José M. Fandiño wrote:
> Dear friends,
> 
> How I can permit write access to entries with an attribute 
> value by others with other attribute value.
>  
> i.e:
> 
> permit write access to entries with a "staff" role by
> entries with an "admin" role.
> 
> access to dn.subtree="ou=people,dc=domain"
>    by set="( this/personRole & [staff]  ) & ( user/personRole & ([admin]|[bofh]) )" write
> 
> I did several tests but none of them worked.
> 
> is it possible with sets?
> 
> Thank you.

References:
- working whith sets
  - From: "José M. Fandiño" <ldap@fadesa.es>

Prev by Date: Fwd: Connection to ldap server failed
Next by Date: Re: OpenLDAP 2.2.24 available
Index(es):
- Chronological
- Thread