[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "to" rules

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>, openldap-technical@openldap.org
Subject: Re: "to" rules
From: uri_gr1@tut.by
Date: Wed, 23 Apr 2008 14:49:16 +0300
Content-disposition: inline
In-reply-to: <hbf.20080421mo4n@bombur.uio.no>
References: <200804211318.08618.uri_gr1@tut.by> <200804211511.11256.uri_gr1@tut.by> <hbf.20080421mo4n@bombur.uio.no>
User-agent: KMail/1.9.6 (enterprise 20070904.708012)

Ð ÑÐÐÐÑÐÐÐÐ ÐÑ Monday 21 April 2008 17:30:08 ÐÑ ÐÐÐÐÑÐÐÐ:
> Note, you replied just to me - might have gotten a quicker reply from
> someone else if you replied to the list.  Anyway...
>
> uri_gr1@tut.by writes:
> >From: uri_gr1@tut.by
> >
> >>> I have openldap-2.4.8 up and running. I have ou=People subtree with
> >>> posixAccounts and I need to grant access to, let's say,
> >>> ou=Clients,ou=AddressBook by all rdn's in ou=People, having
> >>> gidNumber=10008.
> >>
> >> I'm not quite sure what you mean with "by all rdn's".  (...)
> >
> > user uid=uri_gr1,ou=People,dc=tut,dc=by should have write access to
> > ou=Clients,ou=AddressBook,dc=tut,dc=by subtree if the user entry contains
> > attribute gidNumber: 10008
>
> Still untested -
>
> access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
>        by dn.onelevel=ou=People,dc=tut,dc=by
>           set.exact="self/gidNumber & 10008"
>           write
>        and maybe by * read or whatever for everyone else
I tested ACLs below:

# ACL for clients addressbook
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.onelevel=ou=People,dc=tut,dc=by
      set.exact="self/gidNumber & 10003"
      write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.onelevel=ou=People,dc=tut,dc=by
      set.exact="self/gidNumber & 10007"
      write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.onelevel=ou=People,dc=tut,dc=by
      set.exact="self/gidNumber & 10008"
      write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write

access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by * none
#

But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is 
restricted to all. Is it posible to write some acls like:
...
by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...

As I know it accepted for "to ..." rules, but wthat about "by ..."?
I tried it earlier, but maybe it failed beacuse of wrong syntax?

Follow-Ups:
- Re: "to" rules
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- "to" rules
  - From: uri_gr1@tut.by

Prev by Date: ldap_simple_bind() can't return immediately?
Next by Date: Re: "to" rules
Index(es):
- Chronological
- Thread