[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: "to" rules
uri_gr1@tut.by writes:
> I tested ACLs below:
> (...)
> But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is
> restricted to all.
Sorry, I forgot to quote the gidNumber values. Literal values in sets
are quoted with [].
Also you asked for another access than you actually wanted. Read man
slapd.access: Only the first "to" clause which matches what you want to
access, is used. Your first "access" clause hid all the others, since
they had the same "to". Similarly, in the chosen "to" clause, only the
first "by" clause which matches who is accessing, is used.
There are keywords to avoid these rules ("break", "continue", "stop"),
but you don't need them for this.
So, let me try again (still untested, hope I'm getting it right this
time) -
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
by dn.onelevel=ou=People,dc=tut,dc=by
set.exact="self/gidNumber & ([10003] | [10007] | [10008])"
write
by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write
by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write
by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write
by * none
BTW, do you really Bind as e.g. "cn=seller,ou=Groups,dc=tut,dc=by", or
is that the name of a group like it looks like?
> Is it posible to write some acls like:
> by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
Not directly, but that's in practice what the "set" ACLs emulate:
by set.exact="self/objectClass & [posixAccount]"
set.exact="self/gidNumber & [10008]"
(with multiple rules in a "to" and "by" clause there is an implicit
"and" between them.)
Sets are still marked "experimental" though. And they are less
efficient than rules that have logic better built in. They are
described here in the FAQ:
http://www.openldap.org/faq/data/cache/1133.html
--
Hallvard