[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control



Darryl Moore wrote:
> I'm trying to set up access controls for the server. Here are the rules
> I am trying to impliment
> 
> olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth
> by self write by * none
> olcAccess: {1}to
> dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write  by * none
> olcAccess: {2}to
> dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
> olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by
> group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read
> olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by
> group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
> olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by
> group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
> olcAccess: {6}to * by users read by * none
> -
> 
> Basically I have groups, and within those groups I have  Contact lists
> and administrators. I want the administrator to have write access, other
> members to have read access, and non members to have none.
> 
> This rule is what I think should work for that:
> 
> dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
> 
> 
> I know this rule works for individual user contact lists:
> 
> dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write  by * none
> 
> 
> I think the problem I am running into is having the <who> field as
> 
> group.exact,expand
> 
> Can I not do this? If not, is there any way to acheive the same result?
> 
> thanks,
> darryl
> 
> 
by ssf=128 set="[cn=admin,ou=groups,dc=domain,dc=tld]/member & user" write

->

any member of group 'admin' (groupOfNames) can write to...

I'm not sure if that's what you're trying to do.

Zdenek

-- 
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net