[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control



On 23/07/2009 18:22, Darryl Moore wrote:
Thanks Zdenek, Going back to my books I am learning more thanks to your
comment. I think I understand what you are saying, but to work I still
need to be able to expand the regular expression

so even with set="cn=..../member*" it would have to be
set,expand="cn.../member*". because I have to match the group. I don't
have a central admin group.

from what I've seen ",expand" only works with dn. constructs. Is that
right? How else can I do this?


cheers,
darryl

Darryl Moore wrote:
Thanks, but not quite

if I have a group

cn=mygroup,ou=Groups,dc=....

then I also have a subgroup

cn=admin,cn=mygroup,ou=groups,dc=....

I want the members of the subgroup to have write access to the parent
group, and the members of the parent group to only have read access.

You could probably achieve this with something like:

access to dn.children=ou=groups,dc=....
  by set="([ldap:///] + this + [??one?cn=admin])/member & user" write
  by set="this/member & user" read

This will search for an entry named "cn=admin" on one level under each group in ou=groups, and allow write access to it's members.

Hope this helps,
Jonathan

Zdenek Styblik wrote:
Darryl Moore wrote:
I'm trying to set up access controls for the server. Here are the rules
I am trying to impliment

olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth
by self write by * none
olcAccess: {1}to
dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write  by * none
olcAccess: {2}to
dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by
group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read
olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by
group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by
group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
olcAccess: {6}to * by users read by * none
-

Basically I have groups, and within those groups I have  Contact lists
and administrators. I want the administrator to have write access, other
members to have read access, and non members to have none.

This rule is what I think should work for that:

dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none


I know this rule works for individual user contact lists:

dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write  by * none


I think the problem I am running into is having the<who>  field as

group.exact,expand

Can I not do this? If not, is there any way to acheive the same result?

thanks,
darryl


by ssf=128 set="[cn=admin,ou=groups,dc=domain,dc=tld]/member&  user" write

->

any member of group 'admin' (groupOfNames) can write to...

I'm not sure if that's what you're trying to do.

Zdenek