[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sets and groupOfNames groups

To: openldap-software@openldap.org
Subject: Re: sets and groupOfNames groups
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Fri, 14 Sep 2007 14:55:18 -0300
In-reply-to: <1189789639.6326.20.camel@pandora.conectiva>
References: <1189789639.6326.20.camel@pandora.conectiva>

Em Sex, 2007-09-14 Ãs 14:07 -0300, Andreas Hasenack escreveu:
> So why was "jsmith" allowed to create a new entry under ou=sudoers? He
> is not a member of any of the special groups, and I only changed the ACL
> line from "by group" to "by set".

This is the right ACL. At least, this one works for me:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
 attrs=children,entry,@sudoRole
 by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* &
user" write
 by * read

I was missing the "& user" part. And it works with nested groups now:

$ ldapsearch -x -LLL "cn=sudo admins" member
dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
member: cn=Account Admins,ou=System Groups,dc=example,dc=com

$ ldapsearch -x -LLL "cn=account admins" member
dn: cn=Account Admins,ou=System Groups,dc=example,dc=com
member: uid=Account Admin,ou=System Accounts,dc=example,dc=com
member: uid=jsmith,ou=people,dc=example,dc=com

And jsmith can create/change sudo entries:
$ ldapadd -x -D uid=jsmith,ou=people,dc=example,dc=com -w jsmith <
foo.ldif 
adding new entry "cn=iurt,ou=sudoers,dc=example,dc=com"

$

References:
- sets and groupOfNames groups
  - From: Andreas Hasenack <ahasenack@terra.com.br>

Prev by Date: sets and groupOfNames groups
Next by Date: Re: OpenLDAP instance as syncREPL replica and Slurpd master
Index(es):
- Chronological
- Thread