[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: "to" rules
Ð ÑÐÐÐÑÐÐÐÐ ÐÑ Monday 21 April 2008 17:30:08 ÐÑ ÐÐÐÐÑÐÐÐ:
> Note, you replied just to me - might have gotten a quicker reply from
> someone else if you replied to the list. Anyway...
>
> uri_gr1@tut.by writes:
> >From: uri_gr1@tut.by
> >
> >>> I have openldap-2.4.8 up and running. I have ou=People subtree with
> >>> posixAccounts and I need to grant access to, let's say,
> >>> ou=Clients,ou=AddressBook by all rdn's in ou=People, having
> >>> gidNumber=10008.
> >>
> >> I'm not quite sure what you mean with "by all rdn's". (...)
> >
> > user uid=uri_gr1,ou=People,dc=tut,dc=by should have write access to
> > ou=Clients,ou=AddressBook,dc=tut,dc=by subtree if the user entry contains
> > attribute gidNumber: 10008
>
> Still untested -
>
> access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
> by dn.onelevel=ou=People,dc=tut,dc=by
> set.exact="self/gidNumber & 10008"
> write
> and maybe by * read or whatever for everyone else
I tested ACLs below:
# ACL for clients addressbook
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.onelevel=ou=People,dc=tut,dc=by
set.exact="self/gidNumber & 10003"
write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.onelevel=ou=People,dc=tut,dc=by
set.exact="self/gidNumber & 10007"
write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.onelevel=ou=People,dc=tut,dc=by
set.exact="self/gidNumber & 10008"
write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by * none
#
But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is
restricted to all. Is it posible to write some acls like:
...
by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
As I know it accepted for "to ..." rules, but wthat about "by ..."?
I tried it earlier, but maybe it failed beacuse of wrong syntax?