Re: Question to meta-backend / ldap-backend

[Wilhelm Meier <wilhelm.meier@fh-kl.de>]

Am Montag 27 Oktober 2008 schrieb Pierangelo Masarati:
> Wilhelm Meier wrote:
> > I don't see how to make this work with the rwm-overlay or some
> > sort of acls.
> > But I'm sure, I missed something ...
>
> You probably didn't read slapd.access(5) where it discusses the
> "filter" form of the <what> clause.

Thank you for this advice, but it doesn't fully solve the problem:

access to attrs=userPassword,shadowLastChange
        dn.regex="uid=([^,]+),ou=Benutzer,dc=kmux,dc=de"
        filter="gidNumber=998"
        by dn="cn=admin,dc=kmux,dc=de" write
        by anonymous auth
        by self write
        by * none

This limits the authentication to users whose posix primary (!) group 
hat the gid-number 998 (the dn.regex in the example above isn't 
needed).

But that's not the whole story. We want to grant access also to those 
users with one of their secondary (!) posix groups is some special 
group, e.g. cn=archiv,ou=gruppen,dc=kmux.dc=de

So it must be possible to search for an object of 
objectclass=posixGroup with the attribute memberUid=<uid>, where 
<uid> is the value of the uid-attribute of the user, who tries to 
bind to the slapd. If this search returns one (or more) results, the 
user should be authenticated.

-- 
Wilhelm