Re: problem with access by set and group membership (posixgroup, groupofnames)

["Dr. Hansjörg Maurer" <hansjoerg.maurer@itsd.de>]

Hi

this works.
Thank you very much.
Do you think this might be a general way to give posixgroups ACL in ldap?
I found in the archives, that many try to do this...

regards

Hansjörg

Pierangelo Masarati schrieb:
> Pierangelo Masarati wrote:
>
>   
> > > access to dn.sub="cn=Domain Admins,ou=Groups,dc=byn,dc=drv"
> > >        by set="([uid=] + ([cn=domain
> > > admins,ou=groups,dc=byn,dc=drv])/memberUid  + [,ou=users,dc=byn,dc=drv])
> > > & user" write
> > >        by * none
> > >       
>
>
> You can check if my analysis was correct and, in that case, work your
> issue around, by adding another layer of dereferencing to constructed
> DNs, thus forcing them to be normalized according to uid instead of
> using memberUid's value.  The above rule could be modified as
>
> access to dn.sub="cn=Domain Admins,ou=Groups,dc=byn,dc=drv"
>         by set="([uid=] + ([cn=domain
> admins,ou=groups,dc=byn,dc=drv])/memberUid  +
> [,ou=users,dc=byn,dc=drv])/entryDN & user" write
>
> (remove all line wrapping, of course).
>
> p.
>
>
>
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
>
> SysNet s.r.l.
> via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ---------------------------------------
> Office:  +39 02 23998309
> Mobile:  +39 333 4963172
> Email:   pierangelo.masarati@sys-net.it
> ---------------------------------------
>
>
>   


--
Dr. Hansjörg Maurer
itsystems Deutschland AG
Linprunstraße 10
80335 München
Tel:   +49-89-52 04 68-41
Fax:   +49-89-52 04 68-59
E-Mail: hansjoerg.maurer@itsd.de
Web:    http://www.itsd.de


Amtsgericht München HRB 132146
USt-IdNr. DE 812991301
Steuer-Nr. 143/100/81575

Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansjörg Maurer
Dr. Wilfried Trinkl