[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sets and groupOfNames groups

To: openldap-software <openldap-software@openldap.org>
Subject: Re: sets and groupOfNames groups
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Sat, 15 Sep 2007 09:44:06 -0300
In-reply-to: <46EB0EF5.2070801@sys-net.it>
References: <1189789639.6326.20.camel@pandora.conectiva> <46EB0EF5.2070801@sys-net.it>

Em SÃb, 2007-09-15 Ãs 00:45 +0200, Pierangelo Masarati escreveu:
> Andreas Hasenack wrote:
> 
> > Now I want to be able to use nested groups, so I follow the FAQ and do a
> > test with sets:
> > 
> > access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
> >  attrs=children,entry,@sudoRole
> >  by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*"
> > write
> >  by * read
> > 
> > Without changing anything in the sudo admins group entry, suddenly I can
> > create new entries under ou=sudoers as any authenticated user. That is,
> > the group still only has the "uid=sudo admin" member, but I can add a
> > new sudo entry as another user:
> 
> That's because sets grant permission as soon as the result of their
> evaluation is a non-empty set, and yours will always be non-empty.

Ah, right, that was the missing piece.

> You need to check whether the intersection between the nested group
> expansion and the user is not empty.  Something like [any newlines added
> by the mailer]:
> 
> by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* &
> user" write
> 
> should work.

Worked just fine, thanks!

References:
- sets and groupOfNames groups
  - From: Andreas Hasenack <ahasenack@terra.com.br>
- Re: sets and groupOfNames groups
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: OpenLDAP instance as syncREPL replica and Slurpd master
Next by Date: Re: Use translucent with back-meta in one single slapd instance
Index(es):
- Chronological
- Thread