[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL filter and posix group

To: openldap-technical@openldap.org
Subject: ACL filter and posix group
From: Nicolas RENAULT <nicolas_renault@yahoo.fr>
Date: Fri, 03 Jul 2015 14:20:06 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.fr; s=s2048; t=1435926011; bh=8cy3YIvimCX/Lu/qJxPzbgrjXamiNaG1ZOKqgz/my4g=; h=Date:From:To:Subject:From:Subject; b=lHA1HZXv45cd9e/x71sV/U6iQlQ2WfO8wKeFdbAsR5vN0i/wx72V+5LD1tyrquiG7GVCjyh3EjcCL/HLjhD3Mbyfpq/sSxnD+y2dMieUgrUJW3cS3y+vf2qr6C65eEcEldi74Ldv6wDmvn9foZveTnK8M9vSCb5B1LjoeQHLN59jsx6jwLs4zYOJVH83Glj/4QmeHUXuAwxSCQrVW7BzgIXwW7nVrDrcP1uF8G/nh1RLX+MSxSNTNCUtvcpDuoPzrbka61eU+PVr/6uE4fkX2endWaVN0A89svMZuqCymKuLadm8cuVD4tfkKPYqGiJypa5DfLg4MOX7Zgeo14t1nw==
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0

Hi,

I search a lot but can't find solution so I post here :

I have to allow a user to get informations from internal ldap forenterprise external software (cloud backup for laptop). only someaccounts have to be retreive by this external user.

I create a group (posixgroup) and add members to this one (memberUid)

I create the posixAccount that will be used by external software to getinformations on the member of the new group.(uid,userPassword,mail,givenName,sn)

so I want to make an acl that limit access for the create account toread only informations of users from the created group.

I already test overlay memberOf but it's not working with memberUid (notdn style)


info
openldap server 2.4.40+dfsg-1 on debian jessie

simple ldap

ou=Users,dc=exemple,dc=com     <-- all my users

uid=readers,ou=Users,dc=exemple,dc=com <-- the user i want to use tosee only cn=externalgroupaccess

ou=Groups,dc=exemple,dc=com   <-- posixGroup with memberUid

cn=arcaboxUser,ou=Groups,dc=exemple,dc=com <-- the group thatusers have to be visible.


acl :

access to dn.subtree="dc=Comptes,dc=com"attrs=entry,uid,userPassword,mail,givenName,sn filter=()

        by dn="uid=readers,ou=Users,dc=exemple,dc=com" read
        by * break
access to dn.subtree="dc=Comptes,dc=com"
        by dn="readers,ou=Users,dc=exemple,dc=com" search
        by * break

My problem is on the filter (I think) if I use this :filter=(uid=accountuid)the user "readers" can see the information from accountuid and not fromothers.

but cn=arcaboxUser,ou=Groups,dc=exemple,dc=com wil have more than 200accounts.

Question : Someone have an idea to build a filter that containt allcn=arcaboxUser,ou=Groups,dc=exemple,dc=com memberUid value ?

I see "set" but if I understand this :http://www.openldap.org/faq/data/cache/1133.html , set is only use in bystatement of acl not in filter.


Thank you

Nicolas
(sorry for bad english)

I want to make an acl that limit access for a account to read onlyinformations of users from one group

Prev by Date: Re: gidNumber uniqueness
Next by Date: relax rules control and MMR
Index(es):
- Chronological
- Thread