[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: "to" rules
Ð ÑÐÐÐÑÐÐÐÐ ÐÑ Wednesday 23 April 2008 15:14:08 Hallvard B Furuseth
ÐÐÐÐÑÐÐ(Ð):
> uri_gr1@tut.by writes:
> > I tested ACLs below:
> > (...)
> > But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is
> > restricted to all.
>
> Sorry, I forgot to quote the gidNumber values. Literal values in sets
> are quoted with [].
>
> Also you asked for another access than you actually wanted. Read man
> slapd.access: Only the first "to" clause which matches what you want to
> access, is used. Your first "access" clause hid all the others, since
> they had the same "to". Similarly, in the chosen "to" clause, only the
> first "by" clause which matches who is accessing, is used.
>
> There are keywords to avoid these rules ("break", "continue", "stop"),
> but you don't need them for this.
>
> So, let me try again (still untested, hope I'm getting it right this
> time) -
>
> access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
> by dn.onelevel=ou=People,dc=tut,dc=by
> set.exact="self/gidNumber & ([10003] | [10007] | [10008])"
> write
> by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write
> by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write
> by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write
> by * none
nope, it's also not works.
>
> BTW, do you really Bind as e.g. "cn=seller,ou=Groups,dc=tut,dc=by", or
> is that the name of a group like it looks like?
I Bind as "cn=Test User,ou=People,dc=tut,dc=by". This has attribute
gidNumber=10008.
"cn=seller,ou=Groups,dc=tut,dc=by" - group with gidNumber=10008,
but "cn=seller,ou=Groups,dc=tut,dc=by" hasn't "cn=Test
User,ou=People,dc=tut,dc=by" on "member" attribute.
>
> > Is it posible to write some acls like:
> > by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
>
> Not directly, but that's in practice what the "set" ACLs emulate:
> by set.exact="self/objectClass & [posixAccount]"
> set.exact="self/gidNumber & [10008]"
> (with multiple rules in a "to" and "by" clause there is an implicit
> "and" between them.)
>
> Sets are still marked "experimental" though. And they are less
> efficient than rules that have logic better built in. They are
> described here in the FAQ:
> http://www.openldap.org/faq/data/cache/1133.html