[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Lazy ACLs and keeping your DIT as flat as possible

To: openldap-technical@openldap.org
Subject: Re: Lazy ACLs and keeping your DIT as flat as possible
From: Gavin Henry <ghenry@suretec.co.uk>
Date: Thu, 16 Aug 2012 14:23:09 +0100
In-reply-to: <CAPcb_G+HXXPn1pCt4Ha_pOcSG987S8rRCWBxfoALwyi6pLrvYw@mail.gmail.com>
References: <CAPcb_G+HXXPn1pCt4Ha_pOcSG987S8rRCWBxfoALwyi6pLrvYw@mail.gmail.com>

> Hi All,
>
> I'm pretty sure that this isn't possible, but wanted to check as my
> head hurts now.

I guess I'll need to re-work my DIT then to make this design sane.

Thanks.

> I have dynamic lists using slapo-dynlist with the Organization
> attribute of 'o' and I am trying to keep my DIT as flat as possible.
>
> I want to create an ACL that is "by group", which is fine. But....I
> don't want to hardcode a group.
>
> I want to "capture" o via a regex and use that in the "by group" like so:
>
> access to dn.subtree="ou=Users,dc=suretec,dc=co,dc=uk"
>       attrs=o
>         val.regex="(.+)"
>         attrs=children,entry
>     by group.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk" read
>     by self write
>
> or something like the following using a previous capture:
>
> access to filter=(&(objectClass=inetOrgPerson)(o=$1))
>     by group/groupOfURLs/memberURL.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk"
> read
>     by self write
>     by * none
>
> Issue is you can't pass captures between "access by" statements and my
> ACLs are flawed based on what you're searching for, which would be
> perfect. The goal being users in the same group can only see users on
> ou=Users of that group, with out hard coding group name in the conf.
>
> I guess I'll have to create branches to split up users. Then again,
> I'm adding a group to ou=Groups, why shouldn't I at the same time add
> a new ACL via cn=config?
>
> Cheers.
>
> --
> Kind Regards,
>
> Gavin Henry.
> Managing Director.
>
> T +44 (0) 1224 279484
> M +44 (0) 7930 323266
> F +44 (0) 1224 824887
> E ghenry@suretec.co.uk
>
> Open Source. Open Solutions(tm).
>
> http://www.suretecsystems.com/
>
> Suretec Systems is a limited company registered in Scotland. Registered
> number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
> Aberdeenshire, AB51 8GL.
>
> Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
>
> Do you know we have our own VoIP provider called SureVoIP? See
> http://www.surevoip.co.uk
>
> Did you see our API? http://www.surevoip.co.uk/api



-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretec.co.uk

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.

Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk

Did you see our API? http://www.surevoip.co.uk/api

References:
- Lazy ACLs and keeping your DIT as flat as possible
  - From: Gavin Henry <ghenry@suretec.co.uk>

Prev by Date: RE: acls
Next by Date: RE: LDAP authentication using Radius
Index(es):
- Chronological
- Thread