[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACLs, groups, and regular expressions... oh my



> -----Original Message-----
> From: Howard Chu [mailto:hyc@highlandsun.com]

> You will have to explicitly list all of the groups that you
> want to give access to. Alternately, you can create a nesting
> group, a group whose members are all the other groups in the
> directory. Then you'll have to use the set syntax:
> 	access to *
> 	  by set="[cn=metagroup,dc=example,dc=com]/member*" read

ACL sets are explained here http://www.openldap.org/faq/data/cache/452.html
The above ACL is probably better written as
	access to *
	  by set="[cn=metagroup,dc=example,dc=com]/member* & user" read

Regardless, it will be fairly expensive to evaluate, as it recursively
searches the directory to expand all of the members of the set. You're better
off just explicitly listing your groups.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support