[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tricky ACL

To: openldap-software@OpenLDAP.org
Subject: Re: Tricky ACL
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Wed, 13 Oct 2004 10:35:38 -0700
Content-disposition: inline
In-reply-to: <416C4095.2080800@sys-net.it>
References: <2BF615FBFB12BB47B6501D04376E657A0B0A9D@MAILFS1.uta.edu> <416C4095.2080800@sys-net.it>

--On Tuesday, October 12, 2004 10:37 PM +0200 Pierangelo Masarati <ando@sys-net.it> wrote:

You don't say what version you're using; this may impact the availability
of certain ACLs.  For HEAD code, which should be relatively similar to
2.2.17 in this field, the slapd.access(5) man page documents the "val"
option for attributeType qualification; it says
    attrs=<attr> val[.<style>]=<attrval>
which means that only one attribute type must be present ("<attr>"); it
doesn't mention submatch (from DN?) expansion, and I'm pretty sure the
code doesn't do that.  What you want to do can be obtained by using

access to dn.subtree="cn=people,dc=uta,dc=edu"
    by set.exact="this/accountName & user/uid" read

Of course you may need more rules to make sure that "user" actually is an
account.

Wow, that works great. :) Stanford also has separate account/person trees, and that just solved a long standing problem for me. ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- SASL required? for Heimdal Kerberos -> OpenLDAP
  - From: Bruce Marriner <bmarriner@appss.com>

References:
- Tricky ACL
  - From: "Kasundra, Digant" <digant@uta.edu>
- Re: Tricky ACL
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: smbldap (was: OpenLDAP debacle in German Paliament Administration)
Next by Date: Re: Antwort: OpenLDAP debacle in German Paliament Administration [Virus checked]
Index(es):
- Chronological
- Thread