[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "to" rules

uri_gr1@tut.by writes:
> I have openldap-2.4.8 up and running. I have ou=People subtree with
> posixAccounts and I need to grant access to, let's say,
> ou=Clients,ou=AddressBook by all rdn's in ou=People, having gidNumber=10008.

I'm not quite sure what you mean with "by all rdn's".
Something like, user uid=uri_gr1,ou=People,dc=tut,dc=by
should have acces to uid=uri_gr1,ou=Clients,ou=AddressBook,dc=tut,dc=by
if the user entry contains attribute gidNumber: 10008?

And what access?  To update the entry?  Untested:

access to dn.regex="^(uid=[^,]*),ou=Clients,ou=AddressBook,dc=tut,dc=by$"
       by dn.exact,expand="$1,ou=People,ou=AddressBook,dc=tut,dc=by"
          set.exact="self/gidNumber & 10008"

Note however that if users have write access to their own gidNumber
attribute, they can insert themselves in the group and give themselves
access.   Or if you instead want members listed in that group rather
than with that gidNumber as their primary group:

access to dn.regex="^uid=([^,]*),ou=Clients,ou=AddressBook,dc=tut,dc=by$"
   by dn.exact,expand="uid=$1,ou=People,ou=AddressBook,dc=tut,dc=by"
      set.expand="[cn=group10008,ou=filegroups,dc=tut,dc=by]/memberUid & $1"

If they should also be able to add/delete this entry, they need
write access to attrs=children of the ou=Clients entry:

access to dn.exact=ou=Clients,ou=AddressBook,dc=tut,dc=by
       by... well, maybe dn.children="Clients,ou=AddressBook,dc=tut,dc=by"

Another note: Computer accounts are not people.  You may be making
problems for yourself if you are mixing the two up in one subtree, and
then e.g. use that as both an address book (where one expects one entry
per person) and for account info.  If one person has two accounts, you
have to make him two "people" in the ou=people subtree.  If you want
unpersonal accounts, they will appear as people too to clients that
do not take care to weed out entries with objectClass=person.