[Date Prev][Date Next] [Chronological] [Thread] [Top]

idea for access rules #2

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: idea for access rules #2
From: Stefan Palme <palme@kapott.org>
Date: Sun, 21 Feb 2010 14:58:06 +0100
Organization: Invisible Brain

Hi again,

Have a subtree like this:

ou=users
  cn=me
ou=data
  ou=data1
    cn=fact1
    cn=fact2, owner=cn=me,ou=users
  ou=data2
    cn=fact3
    cn=fact4

So this time, some child elements of a dataX-subtree are "owned" by
certain users. What I want: when a user (cn=me) traverses the LDAP
tree, (s)he should only see the dataX-subtrees with at least one
child owned by this user. For the example above, the user cn=me
should get read access to "ou=data1" and to "cn=fact2,ou=data1",
but he should NOT get read access to ou=data2 and its children.

Specifying the access to the "cn=factX" entries is already solved,
now the only problem is to deny access to some of the "ou=dataX"
subtrees:

My current idea is something like this:

access
  to dn.regex="(ou=[^,]+,ou=data)"
  by set.expand="([ldap://127.0.0.1?base=$1?scope=sub]/owner) & user"

which should find all entries in a dataX subtree, collect their owners
and "compare" them with the current user.

But this does not look "nice" to me because of the additional required
LDAP search. Is there a more straightforward solution for this? 

If not: is this search operation really EXECUTED? Which bind DN is used
to execute the search? The "current" one? I guess, to find the search
results for the LDAP query all access rules for the current user apply?

Thanks and regards
-stefan-

Prev by Date: Re: idea for access rules
Next by Date: Syncrepl in OpenLDAP-2.4.20
Index(es):
- Chronological
- Thread