[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: grant access on a attribute specific value
Hi,
(I've enabled long lines without wrapping)
Pierangelo Masarati a écrit :
if access depends on values in the "who", use sets; in your case,
something like
access to dn="cn=foo,ou=groups,dc=example,dc=com"
attrs=cn,description,memberUid,entry by
set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN & user" write
wow ! no chance I could find that on my own, especially because the
slapd.access manpage says « The statement set=<pattern> is undocumented
yet. » :-)
should work (note: indentation has probably been destroyed by my
mailer).
no, it doesn't work :-(
precisely, in slapd.conf, I've added:
access to dn.children="ou=groupes,dc=domain"
attrs=cn,description,memberUid,entry
by dn="cn=adminLDAP,dc=domain" write
by set="[ldap:///ou=personnes,dc=domain?1.1?sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN & user" write
by users read
iremLillePerson = inetOrgPerson + groupesTravail(multi-valued)
1200 = value of the attribute for which I want to give write access.
when I give an explicit:
by dn="cn=name,ou=personnes,dc=domain"
instead of the set clause, it works.
any idea ?
Dynacl has nothing to do.
ok, thanks for making this clear.
--
Fabrice Eudes -o)
Clé PGP 88AC3A66 /\\
Utilisateur Linux n°245401 _\_V
Tel 09 50 77 73 78
Fax 09 55 77 73 78