[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs based on attributes?



Quoting Dieter Kluenter <dieter@dkluenter.de>:

this rule should do the trick:
access to dn.regex="cn=([^,]+),ou=whatsoever$"
          attrs=telephoneNumber
       by set="user/title & [telephoneManager]" write

Yes!!!

This is what I'm using now:

   access to attrs=telephoneNumber
        by set="user/title & [telephonemanager]" write
        by users read

This works for a user with attr title=telephonemanager. However, to demonstrate the flexibility of this set rule...

   access to attrs=telephoneNumber
        by set="user/description & [telephonemanager]" write
        by users read

... this works for a user with attr description=telephonemanager!

This is cool regardless, but I think my NIU-friend would say that it's cool because this set rule allows you to give users telephonemanager privileges without the need to maintain a telephonemanager group.

Actually, I think this solution can be improved upon significantly. For example, what if our privileged user had this attribute:

   description: titlemanager telephonemanager addressmanager

Can a a set rule be devised to match not only users with a description value that equals "telephonemanager", but also one that includes it in a longer string? We would need something like:

   access to attrs=telephoneNumber
        by set="user/description & [*telephonemanager*]" write
        by users read

Only, that doesn't work.

Is this possible?

Many thinks,

Jaap