[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: filter acl regex

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: filter acl regex
From: Dusty Doris <openldap@mail.doris.cc>
Date: Wed, 12 Jan 2005 09:29:39 -0500 (EST)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <60058.131.175.154.56.1105527462.squirrel@131.175.154.56>
References: <20050111211504.D76520@mail.doris.name> <60058.131.175.154.56.1105527462.squirrel@131.175.154.56>

>
> > Hi.
> >
> > I am looking for help with an ACL.  What I would like to do, is determine
> > the name of a group that I will be searching for members of, based on an
> > attribute in the username.
> >
> > For example, suppose you have the following user entries, that contain an
> > attribute that we will call groupname.
> >
> > dn: cn=user1,ou=users,o=mydomain.com
> > groupname: group1
> >
> > dn: cn=user2,ou=users,o=mydomain.com
> > groupname: group2
> >
> > Then, I have some groups.
> >
> > dn: cn=group1,ou=users,o=mydomain.com
> > member: cn=user1,ou=users,o=mydomain.com
> >
> > dn: cn=group2,ou=groups,o=mydomain.com
> > member: cn=user2,ou=users,o=mydomain.com
> >
> > Is there a way to use the value of a filter in the what section, to be
> > re-used in the who section of the ACL?
> >
> > For example:
> >
> > access to dn.children="ou=users,o=mydomain.com" filter=(groupname=(.+))
> > 	by group.expand="cn=$1,ou=groups,o=mydomain.com" write
> >
> > Or any other way to do something similar?  Basically, I want to capture
> > the value of an attribute in the user and use that as part of the group to
> > search for members of.
> >
> > Is that possible?
>
> To my knowledge, no, and I don't see it as a reasonable approach.  The
> only thing that gets close to what you mean seems to be "sets", but they
> essentially lack arbitrary string concatenation capabilities.
>
> If your entry stored the group's DN instead of its common name, things
> would have been quite straightforward.  This is the "memberOf" approach,
> something like
>
> access to dn.children="ou=users,o=mydomain.com"
> 	by set="user & (this/memberOf)/member" write


That sounds like a good approach.  Sets look pretty interesting.  I've
been reading about them in the FAQs.  Still having trouble grasping it,
but after some more coffee and a few more reads through I hope I'll get
the idea.

I'm not confined to my original approach, so I'll give it a shot with the
memberOf approach.

>
> would do the trick.  To build the DN of the group out of its common name
> requires something like a '+' operator that causes two pieces of string to
> concatenate, so that one can write a rule of the kind
>
> access to dn.children="ou=users,o=mydomain.com"
> 	by set="user & ([cn=]+this/groupname+[,ou=groups,o=mydomain.com])/member"
> write
>
> I was planning to develop something like that, so I suggest you file an
> ITS to request and keep track its implementation.

I can file an ITS.  I'm still not up to par in understanding sets, so I'll
try to get that figured out first.  So I know how to accurately describe
what I am asking for in the ITS.

>
> p.
>
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it
>

Thanks for the reply, your help is appreciated.

-Dusty Doris

Follow-Ups:
- Re: filter acl regex
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- filter acl regex
  - From: Dusty Doris <openldap@mail.doris.cc>
- Re: filter acl regex
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Problem using syncrepl for replication
Next by Date: Re: cascading syncrepl
Index(es):
- Chronological
- Thread