[Date Prev][Date Next]
Re: sets and groupOfNames groups
Em SÃb, 2007-09-15 Ãs 00:45 +0200, Pierangelo Masarati escreveu:
> Andreas Hasenack wrote:
> > Now I want to be able to use nested groups, so I follow the FAQ and do a
> > test with sets:
> > access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
> > attrs=children,entry,@sudoRole
> > by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*"
> > write
> > by * read
> > Without changing anything in the sudo admins group entry, suddenly I can
> > create new entries under ou=sudoers as any authenticated user. That is,
> > the group still only has the "uid=sudo admin" member, but I can add a
> > new sudo entry as another user:
> That's because sets grant permission as soon as the result of their
> evaluation is a non-empty set, and yours will always be non-empty.
Ah, right, that was the missing piece.
> You need to check whether the intersection between the nested group
> expansion and the user is not empty. Something like [any newlines added
> by the mailer]:
> by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* &
> user" write
> should work.
Worked just fine, thanks!