[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Recursive ACL entries (group member of group)
> Hi,
>
> This can be acheived using ACL sets. There is in fact an example of
> exactly this use case in the admin guide!
>> http://www.openldap.org/doc/admin24/access-control.html#Sets -
>> Granting rights based on relationships
>
> It is noted in the documentation that sets are experimental. Just to add
> a word onto that, I use sets in several production environments, and
> have absolutely no stability problems.
>
> However, depending on the sets you use, the performance hit can be
> important (sets can fire off thousands of search requests just to
> evaluate one ACL, if they're badly written). Also, ACLs with sets are
> not cached.
>
> Hope this helps,
> Jonathan
Thanks a lot!
This should work. But unfortunately it does not :-(
My ACL looks like this now:
access to dn.sub="ou=agents,dc=myDomain"
filter=(objectclass=person)
by set="[cn=UserManagement,ou=rights,dc=myDomain]/member*" write
by self read
cn=Test,ou=agents,dc=myDomain
is a member of
cn=supervisor,ou=groups,dc=myDomain
which is a member of
cn=UserManagement,ou=rights,dc=myDomain
Test has write access to all other agents. But he still has the right
when I remove cn=supervisor... from the Usermanagement group.
Any idea why? How can I debug ACLs? Is it possible so print infos or do
something like setting breakpoints?
Jan