[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL group

To: openldap-software@OpenLDAP.org
Subject: RE: ACL group
From: lucie wermer <luwermer@yahoo.fr>
Date: Mon, 16 Aug 2004 17:37:15 +0200 (CEST)

Seems to be a great idea, unfortunatly it doesn't work
for the moment :( 
 
Maybe it's because my openldap is too old?

I try again, with differents syntaxes... 

Thanks for your help !

Lucie



-----Message d'origine-----
De : owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]De la
part de Alexandre
Garel
Envoyé : lundi 16 août 2004 15:37
À : openldap-software@OpenLDAP.org
Objet : Re: ACL group


Alexandre Garel a écrit :

> lucie wermer a écrit :
>
>> Hi,
>> I have a directory in which people are in the
branch "ou=People", and 
>> groups in the branch "ou=groups".
>> I need an ACL to autorize an entry
>> "uid=manager,dc=org,dc=fr" to access to the 
entrees
>> that are member of a specific group.
>> Only this entry can access to the entrees from
>> "ou=people" that are in the group
>> "cn=VIP,ou=groups,dc=org,dc=fr"
>>
>> I hope I am clear enough.
>> Thanks for any help!
>>  
>>
> It would be easier to make entries have an attribute
employeeType (or 
> manager or whichever you want) attribute which would
be set to VIP. So 
> your ACL rule would be :
> access to dn.children="ou=people,dc=org,dc=fr" 
> filter="(employeeType=VIP)"
> by "uid=manager,dc=org,dc=fr" write
> by * none
>
> There is the possibility to use groups but that's to
specify the who 
> can access entry (and not which entry can be). So
that's the contrary 
> of your problem.
> I am not such an ACL expert , so I don't know if
your original request 
> can be satisfied.
> Alex.
>
I just post an hint to another message that shall also
do for you. Well, 
I just read it in Faq-o-matic, never tested such a
thing but maybe it's 
what you need. See set explanation at 
http://www.openldap.org/faq/data/cache/452.html.
With set you can do :

access to dn.one="ou=people,dc=org,dc=fr"
by dn.exact="uid=manager,dc=org,dc=fr" set="this & 
[cn=VIP,ou=groups,dc=org,dc=fr]/member" write
by * none

If I am understand well faq-o-matic, this check that
user is the manager 
and that the intersection of entry dn with the values
of member 
attribute in VIP group. (of course if you have, say, a

GroupOfUniqueNames you'll have to use uniqueMember
instead of member)
It's just an hint, you should try if you like
adventure. Maybe ACL guru 
on the list could confirm
Alex.



	

	
		
Vous manquez d?espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com

Prev by Date: Re: dnattr access rule
Next by Date: Re: ACL group
Index(es):
- Chronological
- Thread