Re: grant access on a attribute specific value

[Pierangelo Masarati <ando@sys-net.it>]

Fabrice Eudes wrote:

> Pierangelo Masarati a écrit :
>> if access depends on values in the "who", use sets; in your case,
>> something like
>>
>> access to dn="cn=foo,ou=groups,dc=example,dc=com"
>>     attrs=cn,description,memberUid,entry by
>>     set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN
>> & user" write
> wow ! no chance I could find that on my own, especially because the
> slapd.access manpage says « The statement set=<pattern> is undocumented
> yet. » :-)

The only documentation is in
<http://www.openldap.org/faq/data/cache/1133.html>.

>> should work (note: indentation has probably been destroyed by my
>> mailer).
> no, it doesn't work :-(
> precisely, in slapd.conf, I've added:
> 
>> access to dn.children="ou=groupes,dc=domain"
>>           attrs=cn,description,memberUid,entry
>>        by dn="cn=adminLDAP,dc=domain" write
>>        by
>> set="[ldap:///ou=personnes,dc=domain?1.1?sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN
>> & user" write              by users read
> iremLillePerson = inetOrgPerson + groupesTravail(multi-valued)
> 1200 = value of the attribute for which I want to give write access.
> 
> when I give an explicit:
> by dn="cn=name,ou=personnes,dc=domain"
> instead of the set clause, it works.

My fault (and a bug in the code): remove the "1.1", leaving the "attrs"
field of the URI empty.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------