[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control, groups/organizationalRole

To: openldap-technical@openldap.org
Subject: Re: access control, groups/organizationalRole
From: Frederik Bosch <frederik.bosch@gmail.com>
Date: Thu, 26 Aug 2010 11:22:50 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=0pLa/cBRvJBlBYVop9XPNhnkqgUj5C5AXx4USVdcPs8=; b=OpvadAEBGRKFaAF+nGANk4c1KWUjzwZW2bDgsPvHo2yJlzKdZHck6JeIT6IJjHf/XP 4cKlxIpWZeMXk3x0Vd/qydijfFucwULeISTvNckRM8v8+dcr6Tu0rA4zz3IN42Pde/Ks oIizCWoNskIHQtKCAUi532fz61ueusVxLqvEY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=Rej3WgKwbNBnJeRlrtUBsiFQ4CkAAeq7tTG7RVp4Vnt8pd5dOALEofz4E4pZqysOtV Bf8ITSZfi+NPoEkgjdW7fcujP/9HzN4IJL7y2e9oe+CRIqd2YjC41VqTlU6M2jLRmrMI T4QbWkwYK00fFz84KVnmFSvZN0fkC8GohzEeQ=
In-reply-to: <4C762A06.8010804@gmail.com>
References: <4C729BBE.2020204@gmail.com> <4C750E32.9030503@gmail.com> <4C762A06.8010804@gmail.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; nl; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2

By the way. This seems to be correct syntax, but does not give me thecorrect result.


access to attrs=uid,userPassword
        by anonymous auth
        by * none

access to *
        by group/organizationalRole/roleOccupant.regex=".+" read
        by * none

I am able to bind, but not to read the tree.

Frederik



Op 26-8-2010 10:47, Frederik Bosch schreef:

Thanks again Dieter. That looks way to difficult for me :). I changedsome things. Now suppose that I want to assign read access to everyroleOccupant in a organizationalRole.
    access to * by group/organizationalRole/roleOccupant read

But that's not correct syntax. Slapd won't start. It has to be like this:

    access to * by group/organizationalRole/roleOccupant="<DN>" read

What syntax do I need to let "<DN>" match the whole tree?

Thanks for the help,
Frederik


Op 25-8-2010 14:36, Frederik Bosch schreef:
That's not what I mean, but thanks for your suggestion.
Let me try to rephrase. Suppose I have an organizationalRole locatedin Amsterdam and Rotterdam. Now I only want to assign rights to alloccupants of the organizationalRole located in Amsterdam.
In xpath-like syntax, this would look like this.
access to * bygroup/organizationalRole[@location="Amsterdam"]/roleOccupant read
How do I need to rewrite this for slapd?
Thanks,

Frederik



On 08/23/2010 06:03 PM, Frederik Bosch wrote:
Hello,

I am trying to setup an access control rule, but failed. All occupants
of the objectClass organizationalRole which has a certain location may
have read access. How do I setup this rule in slapd.conf?

This is my line at the moment. This matches the dn of the occupant. But
how do I match the location attribute of the organizationalRole?

access to * by
group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com"
read

Thanks in advance,

Frederik

Follow-Ups:
- Re: access control, groups/organizationalRole
  - From: Frederik Bosch <frederik.bosch@gmail.com>

References:
- access control, groups/organizationalRole
  - From: Frederik Bosch <frederik.bosch@gmail.com>
- Re: access control, groups/organizationalRole
  - From: Frederik Bosch <frederik.bosch@gmail.com>
- Re: access control, groups/organizationalRole
  - From: Frederik Bosch <frederik.bosch@gmail.com>

Prev by Date: Re: syncrepl help
Next by Date: Re: Samba, Openldap and ppolicy
Index(es):
- Chronological
- Thread