Re: access control question

[Dave Holland <dh3@sanger.ac.uk>]

[I'm resending this as the first attempt didn't make it to the list.]

On Thu, Jul 07, 2005 at 07:00:34PM +0200, Dieter Kluenter wrote:
> You don't have to update. I think 'sets' will ideally meet your tasks.
> http://www.openldap.org/faq/data/cache/1133.html

Thanks. That looks like a very powerful syntax, but I'm afraid I can't
see how to implement the "if / then / else" logic which I need:

> > If a cn=readers groupOfNames entry is present, allow read-only access to
> > those DNs, allow write access to DNs in cn=administrators, and disallow
> > access to everyone else. But if there is NO cn=readers entry, allow read
> > access to anyone.

The best I have come up with is this:

access to dn.regex="ou=([^,]+),ou=projects...$"
        by group.expand="cn=administrators,ou=$1,..." write
        by set.expand="[cn=readers,ou=$1,ou=projects,...]/member* & user" read
        by * none

which means I can add "cn=absolutelyeveryone" as a member to cn=readers
and it will be recursively expanded to allow read access to all. But
that doesn't enable the option of allowing anonymous read access, which
would be very useful.

Do you know how I could implement that? Alternatively, is there any more
documentation for sets than is in the faq-o-matic? Some more
configuration examples would be very welcome. Does anyone have a config
file they'd be willing to share?

Thanks,
Dave
-- 
** Dave Holland ** Systems Support -- Special Projects Team **
** 01223 496923 ** Sanger Institute, Hinxton, Cambridge, UK **