[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL set syntaxe with 2 conditions



> Hi all,
>
> I am using the set syntaxe in my ACL and I would like to compare two
> attributs (a1 and a2) of the target and the user.
> I'd like to authorize in write access only dns who have the same
> attribut a1 and the same a2.
> (Note: a1 and a2 never have the same value)
>
> With the help of the faq-o-matic "Sets in Access Controls" I wrote the
> following rule:
>
> access to ou=...
>     by set="(this/a1 & user/a1) & (this/a2 & user/a2)" write
>     by * none
>
> And... no match
> I suppose that in fact this rule makes the intersection between this/a1,
> user/a1, this/a2 and user/a2, obviously there is no match !
>
> I am working with openldap version 2.1, so i cannot use the
> concatenation operator "+".
>
> Maybe some of you know how to write the correct set syntaxe, or any
> other idea than using set to have such an access rule working.

A quick hack, unless anyone comes out with a better idea:

access to ou=...
    by set="this/a1 & user/a1" write continue
    by set="this/a2 & user/a2" +0

Note that logical "&&" (and "||"?) operators might be added to 2.3; see
<http://www.openldap.org/lists/openldap-devel/200503/msg00048.html> for
discussion.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497