Re: ACL group

["Alexandre Garel" <garel.alexandre@agora.msa.fr>]

Alexandre Garel a écrit :

> lucie wermer a écrit :
>
> > Hi,
> > I have a directory in which people are in the branch "ou=People", and 
> > groups in the branch "ou=groups".
> > I need an ACL to autorize an entry
> > "uid=manager,dc=org,dc=fr" to access to the  entrees
> > that are member of a specific group.
> > Only this entry can access to the entrees from
> > "ou=people" that are in the group
> > "cn=VIP,ou=groups,dc=org,dc=fr"
> >
> > I hope I am clear enough.
> > Thanks for any help!
> >  
> It would be easier to make entries have an attribute employeeType (or 
> manager or whichever you want) attribute which would be set to VIP. So 
> your ACL rule would be :
> access to dn.children="ou=people,dc=org,dc=fr" 
> filter="(employeeType=VIP)"
> by "uid=manager,dc=org,dc=fr" write
> by * none
>
> There is the possibility to use groups but that's to specify the who 
> can access entry (and not which entry can be). So that's the contrary 
> of your problem.
> I am not such an ACL expert , so I don't know if your original request 
> can be satisfied.
> Alex.
I just post an hint to another message that shall also do for you. Well, 
I just read it in Faq-o-matic, never tested such a thing but maybe it's 
what you need. See set explanation at 
http://www.openldap.org/faq/data/cache/452.html.
With set you can do :

access to dn.one="ou=people,dc=org,dc=fr"
by dn.exact="uid=manager,dc=org,dc=fr" set="this & 
[cn=VIP,ou=groups,dc=org,dc=fr]/member" write
by * none

If I am understand well faq-o-matic, this check that user is the manager 
and that the intersection of entry dn with the values of member 
attribute in VIP group. (of course if you have, say, a 
GroupOfUniqueNames you'll have to use uniqueMember instead of member)
It's just an hint, you should try if you like adventure. Maybe ACL guru 
on the list could confirm
Alex.