[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: pls help: acl to groups
There are a few ways to do this, This is the one I was working with.
+c=hk
+-o=freds company,c=hk
+--cn=adminstrators,o=freds company,c=hk
+--cn=fred blogs,o=freds company,c=hk
where
dn:cn=adminstrators,o=freds company,c=hk
cn: adminstrators of this region
objectclass: groupofNames (important for the group acl feature)
objectclass: top
member: cn=fred blogs,o=freds company,c=hk
member: cn=somebody else,o=.......
NOTE: do not put spaces in member between ','
the GROUP access acl
access to dn=".*,o=freds company,c=hk"
by group="cn=administrators,o=freds company,c=hk" write
by * none
NOTE: you will need to add a few ACL's before this to deal with
passwords etc.
access to attr=userpassword by self write
by group="cn=Administrators,o=freds company,c=hk" write
by * compare
NOTE: ACL's match on a first seen, first match
You can use wildcards substitution something like this
"cn=administrators,(.*)" access to .*,/1
== DO A SEARCH THROUGH OLD MAIL ON THIS LIST FOR THE EXACT SYNTAX - I
had problems today connecting to openldap.
regards
alan
"S.T. Wong" wrote:
>
> Hello,
>
> I wonder if it possible to apply "group=" rule to the <what> item in acl
> construct like this :
>
> acces to <what>
> by <who> <rights>
>
> I think adding some kind of qualifier in dn for this purpose, e.g.
>
> access to dn="uid=.*, status=single, o=.*, c=hk"
>
> but it's inflexible to change dn when someone's status changes. It's even
> worse when the status (or the categorizing attribute) changes frequently.
>
> Would anyone please help?
>
> Thanks a lot.
>
> --
> S.T. Wong | Email: st-wong@cuhk.edu.hk
--
------------------// Alan's Signature //--------------------
If the answer's not at http://www.hk.super.net/~alan_k , then
let me know, 'CAUSE IT'S SUPPOSED TO BE!
-----------// Alan's Linux Infomation Center //-------------