[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question to meta-backend / ldap-backend

Wilhelm Meier <wilhelm.meier@fh-kl.de> writes:

> Am Montag 27 Oktober 2008 schrieb Pierangelo Masarati:
>> Wilhelm Meier wrote:
>> > I don't see how to make this work with the rwm-overlay or some
>> > sort of acls.
>> > But I'm sure, I missed something ...
>> You probably didn't read slapd.access(5) where it discusses the
>> "filter" form of the <what> clause.
> Thank you for this advice, but it doesn't fully solve the problem:
> access to attrs=userPassword,shadowLastChange
>         dn.regex="uid=([^,]+),ou=Benutzer,dc=kmux,dc=de"
>         filter="gidNumber=998"
>         by dn="cn=admin,dc=kmux,dc=de" write
>         by anonymous auth
>         by self write
>         by * none
> This limits the authentication to users whose posix primary (!) group 
> hat the gid-number 998 (the dn.regex in the example above isn't 
> needed).
> But that's not the whole story. We want to grant access also to those 
> users with one of their secondary (!) posix groups is some special 
> group, e.g. cn=archiv,ou=gruppen,dc=kmux.dc=de
> So it must be possible to search for an object of 
> objectclass=posixGroup with the attribute memberUid=<uid>, where 
> <uid> is the value of the uid-attribute of the user, who tries to 
> bind to the slapd. If this search returns one (or more) results, the 
> user should be authenticated.

This approach can be solved by sets. 
An search the mail archive, there can be found numerous examples.


Dieter KlÃnter | Systemberatung
sip: +49.180.1555.7770535