[Date Prev][Date Next]
Re: Access Control - Variables
> Dear List!
> Is it possible to use Variables in ACL rules?
> I'm trying to implement an access-control structure for a
> Since it will be used for multiple customers, each customer should only
> "see" their hardware.
> The customers will be in
> cn=XY, ou=people, o=customerorganisation, ou=customers, o=myorganisation
> Their hardware will be in
> myobject=XYZ, o=customerorganisation, ou=customers, o=myorganisation
> The people of my organisation (who will get write access to everything)
> will be in
> cn=xy, ou=peole, o=myorganisation
> So my ACL has to look somehow like this:
> access to dn="myobject=XYZ, o=$1, ou=customers, o=myorganisation"
> by dn="cn=*,ou=peole, o=myorganisation" write
> by dn="cn=XY, ou=people, o=$1, ou=customers, o=myorganisation"
> Somewhere I've seen ACL-descriptions like these:
> access to dn="(.*)?, o=$1, ou=customers, o=myorganisation"
> by dn="(.*)?, ou=peole, o=myorganisation" write
> by dn="(.*)?, ou=people, o=$1, ou=customers, o=myorganisation"
> My Questions:
> A: Will both of the above ACLS work, and, if, where is the difference?
> B: Will the Variable "o=$1" work? If not, how can I get a similar result
> without hard-coding
> every customer in the ACL?
You can use regex pattern substitution in the form:
access to dn=".*ou=([^,]+),o=myorganization"
by dn="cn=admin,ou=$1,o=myorganization" write
by * read
so, if you call "cn=admin,ou=customer X,o=myorganization"
the administrator of "customer X", then it can access
all data below "ou=customer X,o=myorganization"
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:email@example.com
via La Masa 34, 20156 Milano, Italy |