[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with ACL's



> Tyler Gates wrote:
> > Hello,
> >    I'm having a hard time setting some ACL's for my particular setup. I
> > have a structure as follows: dn: uid=*,ou=people,dc=example,dc=com #
> > uid contains several unix/linux user ids dn:
> > cn=*,ou=groups,dc=example,dc=com # cn contains several unix/linux
> > groups. uid's (not the complete dn) are supplied to the memberUid fields
> > 
> > What I would like to do is place an organizationalRole in each group
> > and have ACL's setup so that it's uniqueMembers have access to certain
> > attrs (say for example sn) for the uid's (which correspond to those in
> > ou=people) specified in the memberUid fields of the group in which the
> > organizationalRole is placed.
> > 
> > psuedo code would be something as follows:
> > 
> > access to
> > group/posixAccount/memberUid.regex("cn=(.*),ou=groups,dc=example,dc=com")
> > attrs sn by
> > group/organizationalRole/uniqueMembers/.regex("cn=admin,cn=$1,ou=groups,dc=example,dc=com")
> > write
> > 
> > Thanks,
> >     Tyler
> > 
> 
> Hi,
> 
> you can use sets for this:
> 
>     access to dn.regex="^(cn=[^,]+,ou=groups,dc=example,dc=com)$"
>     attrs="sn"
>        by set.expand="[cn=admin,$1]/memberUid & user/uid" write
> 
> 
> Regards,
> Christian
> 


Hi Christian,
    I think I get the set's but that ACL doesn't work, and I'm not sure
if regex's or set's will even do the job. A conditional statement if
possible may be the only way.  Again I'm looking for members of an
organizational role
(cn=admin,cn=groupname,ou=group,dc=example,dc=com) placed in a group
(cn=groupname,ou=group,dc=example,dc=com) to be able to access ONLY the
people listed in that group
(group/OrganizationalRole/memberUid((cn=groupname,ou=group,dc=example,dc=com))
and nobody else. The people listed in that group are the memberUid and
should match up to the complete dn as defined in
uid=<memberUid>,ou=people,dc=example,dc=com.


 Tyler