[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs based on attributes?
Quoting Dieter Kluenter <dieter@dkluenter.de>:
this rule should do the trick:
access to dn.regex="cn=([^,]+),ou=whatsoever$"
attrs=telephoneNumber
by set="user/title & [telephoneManager]" write
Yes!!!
This is what I'm using now:
access to attrs=telephoneNumber
by set="user/title & [telephonemanager]" write
by users read
This works for a user with attr title=telephonemanager. However, to
demonstrate the flexibility of this set rule...
access to attrs=telephoneNumber
by set="user/description & [telephonemanager]" write
by users read
... this works for a user with attr description=telephonemanager!
This is cool regardless, but I think my NIU-friend would say that it's
cool because this set rule allows you to give users telephonemanager
privileges without the need to maintain a telephonemanager group.
Actually, I think this solution can be improved upon significantly.
For example, what if our privileged user had this attribute:
description: titlemanager telephonemanager addressmanager
Can a a set rule be devised to match not only users with a description
value that equals "telephonemanager", but also one that includes it in
a longer string? We would need something like:
access to attrs=telephoneNumber
by set="user/description & [*telephonemanager*]" write
by users read
Only, that doesn't work.
Is this possible?
Many thinks,
Jaap