[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "to" rules



Ð ÑÐÐÐÑÐÐÐÐ ÐÑ Monday 21 April 2008 17:30:08 ÐÑ ÐÐÐÐÑÐÐÐ:
> Note, you replied just to me - might have gotten a quicker reply from
> someone else if you replied to the list.  Anyway...
>
> uri_gr1@tut.by writes:
> >From: uri_gr1@tut.by
> >
> >>> I have openldap-2.4.8 up and running. I have ou=People subtree with
> >>> posixAccounts and I need to grant access to, let's say,
> >>> ou=Clients,ou=AddressBook by all rdn's in ou=People, having
> >>> gidNumber=10008.
> >>
> >> I'm not quite sure what you mean with "by all rdn's".  (...)
> >
> > user uid=uri_gr1,ou=People,dc=tut,dc=by should have write access to
> > ou=Clients,ou=AddressBook,dc=tut,dc=by subtree if the user entry contains
> > attribute gidNumber: 10008
>
> Still untested -
>
> access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
>        by dn.onelevel=ou=People,dc=tut,dc=by
>           set.exact="self/gidNumber & 10008"
>           write
>        and maybe by * read or whatever for everyone else
I tested ACLs below:

# ACL for clients addressbook
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.onelevel=ou=People,dc=tut,dc=by
      set.exact="self/gidNumber & 10003"
      write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.onelevel=ou=People,dc=tut,dc=by
      set.exact="self/gidNumber & 10007"
      write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.onelevel=ou=People,dc=tut,dc=by
      set.exact="self/gidNumber & 10008"
      write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by * none
#

But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is 
restricted to all. Is it posible to write some acls like:
...
by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...

As I know it accepted for "to ..." rules, but wthat about "by ..."?
I tried it earlier, but maybe it failed beacuse of wrong syntax?