Re: Question to meta-backend / ldap-backend

["Dieter Kluenter" <dieter@dkluenter.de>]

Wilhelm Meier <wilhelm.meier@fh-kl.de> writes:

> Am Montag 27 Oktober 2008 schrieb Pierangelo Masarati:
>> Wilhelm Meier wrote:
>> > I don't see how to make this work with the rwm-overlay or some
>> > sort of acls.
>> > But I'm sure, I missed something ...
>>
>> You probably didn't read slapd.access(5) where it discusses the
>> "filter" form of the <what> clause.
>
> Thank you for this advice, but it doesn't fully solve the problem:
>
> access to attrs=userPassword,shadowLastChange
>         dn.regex="uid=([^,]+),ou=Benutzer,dc=kmux,dc=de"
>         filter="gidNumber=998"
>         by dn="cn=admin,dc=kmux,dc=de" write
>         by anonymous auth
>         by self write
>         by * none
>
> This limits the authentication to users whose posix primary (!) group 
> hat the gid-number 998 (the dn.regex in the example above isn't 
> needed).
>
> But that's not the whole story. We want to grant access also to those 
> users with one of their secondary (!) posix groups is some special 
> group, e.g. cn=archiv,ou=gruppen,dc=kmux.dc=de
>
> So it must be possible to search for an object of 
> objectclass=posixGroup with the attribute memberUid=<uid>, where 
> <uid> is the value of the uid-attribute of the user, who tries to 
> bind to the slapd. If this search returns one (or more) results, the 
> user should be authenticated.

This approach can be solved by sets. 
http://www.openldap.org/faq/data/cache/1133.htm
An search the mail archive, there can be found numerous examples.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
sip: +49.180.1555.7770535
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6