Re: access control

[Jonathan Clarke <jonathan@phillipoux.net>]

On 23/07/2009 18:22, Darryl Moore wrote:
> Thanks Zdenek, Going back to my books I am learning more thanks to your
> comment. I think I understand what you are saying, but to work I still
> need to be able to expand the regular expression
>
> so even with set="cn=..../member*" it would have to be
> set,expand="cn.../member*". because I have to match the group. I don't
> have a central admin group.
>
> from what I've seen ",expand" only works with dn. constructs. Is that
> right? How else can I do this?
>
>
> cheers,
> darryl
>
> Darryl Moore wrote:
> > Thanks, but not quite
> >
> > if I have a group
> >
> > cn=mygroup,ou=Groups,dc=....
> >
> > then I also have a subgroup
> >
> > cn=admin,cn=mygroup,ou=groups,dc=....
> >
> > I want the members of the subgroup to have write access to the parent
> > group, and the members of the parent group to only have read access.

You could probably achieve this with something like:

access to dn.children=ou=groups,dc=....
  by set="([ldap:///] + this + [??one?cn=admin])/member & user" write
  by set="this/member & user" read

This will search for an entry named "cn=admin" on one level under each 
group in ou=groups, and allow write access to it's members.

Hope this helps,
Jonathan

> > Zdenek Styblik wrote:
> > > Darryl Moore wrote:
> > > > I'm trying to set up access controls for the server. Here are the rules
> > > > I am trying to impliment
> > > >
> > > > olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth
> > > > by self write by * none
> > > > olcAccess: {1}to
> > > > dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
> > > > dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write  by * none
> > > > olcAccess: {2}to
> > > > dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> > > > group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
> > > > olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> > > > group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by
> > > > group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read
> > > > olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by
> > > > group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
> > > > olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by
> > > > group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read
> > > > olcAccess: {6}to * by users read by * none
> > > > -
> > > >
> > > > Basically I have groups, and within those groups I have  Contact lists
> > > > and administrators. I want the administrator to have write access, other
> > > > members to have read access, and non members to have none.
> > > >
> > > > This rule is what I think should work for that:
> > > >
> > > > dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by
> > > > group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
> > > >
> > > >
> > > > I know this rule works for individual user contact lists:
> > > >
> > > > dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by
> > > > dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write  by * none
> > > >
> > > >
> > > > I think the problem I am running into is having the<who>  field as
> > > >
> > > > group.exact,expand
> > > >
> > > > Can I not do this? If not, is there any way to acheive the same result?
> > > >
> > > > thanks,
> > > > darryl
> > > by ssf=128 set="[cn=admin,ou=groups,dc=domain,dc=tld]/member&  user" write
> > >
> > > ->
> > >
> > > any member of group 'admin' (groupOfNames) can write to...
> > >
> > > I'm not sure if that's what you're trying to do.
> > >
> > > Zdenek