[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "to" rules

To: openldap-technical@openldap.org, Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: "to" rules
From: uri_gr1@tut.by
Date: Wed, 23 Apr 2008 18:31:44 +0300
Content-disposition: inline
In-reply-to: <hbf.20080423wqqr@bombur.uio.no>
References: <200804211318.08618.uri_gr1@tut.by> <200804231449.16296.uri_gr1@tut.by> <hbf.20080423wqqr@bombur.uio.no>
User-agent: KMail/1.9.6 (enterprise 20070904.708012)

Ð ÑÐÐÐÑÐÐÐÐ ÐÑ Wednesday 23 April 2008 15:14:08 Hallvard B Furuseth 
ÐÐÐÐÑÐÐ(Ð):
> uri_gr1@tut.by writes:
> > I tested ACLs below:
> > (...)
> > But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is
> > restricted to all.
>
> Sorry, I forgot to quote the gidNumber values.  Literal values in sets
> are quoted with [].
>
> Also you asked for another access than you actually wanted.  Read man
> slapd.access: Only the first "to" clause which matches what you want to
> access, is used.  Your first "access" clause hid all the others, since
> they had the same "to".  Similarly, in the chosen "to" clause, only the
> first "by" clause which matches who is accessing, is used.
>
> There are keywords to avoid these rules ("break", "continue", "stop"),
> but you don't need them for this.
>
> So, let me try again (still untested, hope I'm getting it right this
> time) -
>
> access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
>     by dn.onelevel=ou=People,dc=tut,dc=by
>        set.exact="self/gidNumber & ([10003] | [10007] | [10008])"
>        write
>     by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write
>     by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write
>     by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write
>     by * none
nope, it's also not works.
>
> BTW, do you really Bind as e.g. "cn=seller,ou=Groups,dc=tut,dc=by", or
> is that the name of a group like it looks like?
I Bind as "cn=Test User,ou=People,dc=tut,dc=by". This has attribute 
gidNumber=10008. 
"cn=seller,ou=Groups,dc=tut,dc=by" - group with gidNumber=10008, 
but "cn=seller,ou=Groups,dc=tut,dc=by" hasn't "cn=Test 
User,ou=People,dc=tut,dc=by" on "member" attribute.
>
> > Is it posible to write some acls like:
> > by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
>
> Not directly, but that's in practice what the "set" ACLs emulate:
>     by set.exact="self/objectClass & [posixAccount]"
>        set.exact="self/gidNumber & [10008]"
> (with multiple rules in a "to" and "by" clause there is an implicit
> "and" between them.)
>
> Sets are still marked "experimental" though.  And they are less
> efficient than rules that have logic better built in.  They are
> described here in the FAQ:
>   http://www.openldap.org/faq/data/cache/1133.html

References:
- "to" rules
  - From: uri_gr1@tut.by
- Re: "to" rules
  - From: uri_gr1@tut.by
- Re: "to" rules
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: noob ldap question
Next by Date: Re: noob ldap question
Index(es):
- Chronological
- Thread