[Date Prev][Date Next]
Re: Question to meta-backend / ldap-backend
Wilhelm Meier <email@example.com> writes:
> Am Montag 27 Oktober 2008 schrieb Pierangelo Masarati:
>> Wilhelm Meier wrote:
>> > I don't see how to make this work with the rwm-overlay or some
>> > sort of acls.
>> > But I'm sure, I missed something ...
>> You probably didn't read slapd.access(5) where it discusses the
>> "filter" form of the <what> clause.
> Thank you for this advice, but it doesn't fully solve the problem:
> access to attrs=userPassword,shadowLastChange
> by dn="cn=admin,dc=kmux,dc=de" write
> by anonymous auth
> by self write
> by * none
> This limits the authentication to users whose posix primary (!) group
> hat the gid-number 998 (the dn.regex in the example above isn't
> But that's not the whole story. We want to grant access also to those
> users with one of their secondary (!) posix groups is some special
> group, e.g. cn=archiv,ou=gruppen,dc=kmux.dc=de
> So it must be possible to search for an object of
> objectclass=posixGroup with the attribute memberUid=<uid>, where
> <uid> is the value of the uid-attribute of the user, who tries to
> bind to the slapd. If this search returns one (or more) results, the
> user should be authenticated.
This approach can be solved by sets.
An search the mail archive, there can be found numerous examples.
Dieter KlÃnter | Systemberatung
GPG Key ID:8EF7B6C6