[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sets and groupOfNames groups

Em Sex, 2007-09-14 Ãs 14:07 -0300, Andreas Hasenack escreveu:
> So why was "jsmith" allowed to create a new entry under ou=sudoers? He
> is not a member of any of the special groups, and I only changed the ACL
> line from "by group" to "by set".

This is the right ACL. At least, this one works for me:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
 by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* &
user" write
 by * read

I was missing the "& user" part. And it works with nested groups now:

$ ldapsearch -x -LLL "cn=sudo admins" member
dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
member: cn=Account Admins,ou=System Groups,dc=example,dc=com

$ ldapsearch -x -LLL "cn=account admins" member
dn: cn=Account Admins,ou=System Groups,dc=example,dc=com
member: uid=Account Admin,ou=System Accounts,dc=example,dc=com
member: uid=jsmith,ou=people,dc=example,dc=com

And jsmith can create/change sudo entries:
$ ldapadd -x -D uid=jsmith,ou=people,dc=example,dc=com -w jsmith <
adding new entry "cn=iurt,ou=sudoers,dc=example,dc=com"