[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control

To: Zdenek Styblik <stybla@turnovfree.net>
Subject: Re: access control
From: Darryl Moore <darryl@moores.ca>
Date: Thu, 23 Jul 2009 10:43:13 -0400
Cc: openldap-technical@openldap.org
In-reply-to: <4A687687.4040108@turnovfree.net>
References: <4A68742C.7030802@moores.ca> <4A687687.4040108@turnovfree.net>
User-agent: Thunderbird 2.0.0.22 (X11/20090608)

Thanks, but not quite

if I have a group

cn=mygroup,ou=Groups,dc=....

then I also have a subgroup

cn=admin,cn=mygroup,ou=groups,dc=....

I want the members of the subgroup to have write access to the parent
group, and the members of the parent group to only have read access.

Zdenek Styblik wrote:
> Darryl Moore wrote:
>> I'm trying to set up access controls for the server. Here are the rules
>> I am trying to impliment
>>
>> olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth
>> by self write by * none
>> olcAccess: {1}to
>> dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
>> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write  by * none
>> olcAccess: {2}to
>> dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
>> group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
>> olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
>> group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by
>> group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read
>> olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by
>> group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
>> olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by
>> group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
>> olcAccess: {6}to * by users read by * none
>> -
>>
>> Basically I have groups, and within those groups I have  Contact lists
>> and administrators. I want the administrator to have write access, other
>> members to have read access, and non members to have none.
>>
>> This rule is what I think should work for that:
>>
>> dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
>> group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
>>
>>
>> I know this rule works for individual user contact lists:
>>
>> dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
>> dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write  by * none
>>
>>
>> I think the problem I am running into is having the <who> field as
>>
>> group.exact,expand
>>
>> Can I not do this? If not, is there any way to acheive the same result?
>>
>> thanks,
>> darryl
>>
>>
> by ssf=128 set="[cn=admin,ou=groups,dc=domain,dc=tld]/member & user" write
> 
> ->
> 
> any member of group 'admin' (groupOfNames) can write to...
> 
> I'm not sure if that's what you're trying to do.
> 
> Zdenek
>

Follow-Ups:
- Re: access control
  - From: Darryl Moore <darryl@moores.ca>

References:
- access control
  - From: Darryl Moore <darryl@moores.ca>
- Re: access control
  - From: Zdenek Styblik <stybla@turnovfree.net>

Prev by Date: Re: access control
Next by Date: Propagation of proxyAuthz control
Index(es):
- Chronological
- Thread