[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access control
Darryl Moore wrote:
> I'm trying to set up access controls for the server. Here are the rules
> I am trying to impliment
>
> olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth
> by self write by * none
> olcAccess: {1}to
> dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none
> olcAccess: {2}to
> dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
> olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by
> group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read
> olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by
> group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
> olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by
> group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
> olcAccess: {6}to * by users read by * none
> -
>
> Basically I have groups, and within those groups I have Contact lists
> and administrators. I want the administrator to have write access, other
> members to have read access, and non members to have none.
>
> This rule is what I think should work for that:
>
> dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
>
>
> I know this rule works for individual user contact lists:
>
> dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none
>
>
> I think the problem I am running into is having the <who> field as
>
> group.exact,expand
>
> Can I not do this? If not, is there any way to acheive the same result?
>
> thanks,
> darryl
>
>
by ssf=128 set="[cn=admin,ou=groups,dc=domain,dc=tld]/member & user" write
->
any member of group 'admin' (groupOfNames) can write to...
I'm not sure if that's what you're trying to do.
Zdenek
--
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net