[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL and multiple mandatory conditions



Emmanuel Dreyfus wrote:
Hello

The goal is to give access to a ressource based on two mandatory
conditions.

I want user DN to match a rule, and attribute value to match another
rule, which depends on the user

This yields me two rules. The first one allow a user that has a given ou
in ouManager set to modify the authorizedService in this ou. I did not
test the second one yet, but the idea is that the user has a
serviceManager attribute telling which value of authorizedService he is
allowed to set.

access to dn.regex="^uid=.+,ou=.+,o=home$" attrs=authorizedService
     by set.exact="user/ouManager&  this/-1" write stop

access to attrs.regex=authorizedService val.regex="(.*)"
     by set="user/serviceManager&  ${v1}" write stop

But I need to perform a AND between the two rules. How can that be done?

Concatenate the terms in the sets.

access to dn.regex="^uid=.+,ou=.+,o=home$"
	 attrs=authorizedService val.regex=(.*)
	by set.expand="(user/ouManager + user/serviceManager) &
		(this/-1 + ${v1})" write

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/