[Date Prev][Date Next]
Re: Question to meta-backend / ldap-backend
Am Montag 27 Oktober 2008 schrieb Pierangelo Masarati:
> Wilhelm Meier wrote:
> > I don't see how to make this work with the rwm-overlay or some
> > sort of acls.
> > But I'm sure, I missed something ...
> You probably didn't read slapd.access(5) where it discusses the
> "filter" form of the <what> clause.
Thank you for this advice, but it doesn't fully solve the problem:
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=kmux,dc=de" write
by anonymous auth
by self write
by * none
This limits the authentication to users whose posix primary (!) group
hat the gid-number 998 (the dn.regex in the example above isn't
But that's not the whole story. We want to grant access also to those
users with one of their secondary (!) posix groups is some special
group, e.g. cn=archiv,ou=gruppen,dc=kmux.dc=de
So it must be possible to search for an object of
objectclass=posixGroup with the attribute memberUid=<uid>, where
<uid> is the value of the uid-attribute of the user, who tries to
bind to the slapd. If this search returns one (or more) results, the
user should be authenticated.