[Date Prev][Date Next]
Re: Help with ACL's
Not a bad idea although its not as visually logical as I would like it
to be and I'm not sure if unix/linux would misinterpret them as group
members. Something to work with though, thanks.
On Thu, 04 Jun 2009 16:09:37 +0200
Christian Manal <firstname.lastname@example.org> wrote:
> Tyler Gates wrote:
> >> Tyler Gates wrote:
> >>> Hello,
> >>> I'm having a hard time setting some ACL's for my particular setup. I
> >>> have a structure as follows: dn: uid=*,ou=people,dc=example,dc=com #
> >>> uid contains several unix/linux user ids dn:
> >>> cn=*,ou=groups,dc=example,dc=com # cn contains several unix/linux
> >>> groups. uid's (not the complete dn) are supplied to the memberUid fields
> >>> What I would like to do is place an organizationalRole in each group
> >>> and have ACL's setup so that it's uniqueMembers have access to certain
> >>> attrs (say for example sn) for the uid's (which correspond to those in
> >>> ou=people) specified in the memberUid fields of the group in which the
> >>> organizationalRole is placed.
> >>> psuedo code would be something as follows:
> >>> access to
> >>> group/posixAccount/memberUid.regex("cn=(.*),ou=groups,dc=example,dc=com")
> >>> attrs sn by
> >>> group/organizationalRole/uniqueMembers/.regex("cn=admin,cn=$1,ou=groups,dc=example,dc=com")
> >>> write
> >>> Thanks,
> >>> Tyler
> >> Hi,
> >> you can use sets for this:
> >> access to dn.regex="^(cn=[^,]+,ou=groups,dc=example,dc=com)$"
> >> attrs="sn"
> >> by set.expand="[cn=admin,$1]/memberUid & user/uid" write
> >> Regards,
> >> Christian
> > Hi Christian,
> > I think I get the set's but that ACL doesn't work, and I'm not sure
> > if regex's or set's will even do the job. A conditional statement if
> > possible may be the only way. Again I'm looking for members of an
> > organizational role
> > (cn=admin,cn=groupname,ou=group,dc=example,dc=com) placed in a group
> > (cn=groupname,ou=group,dc=example,dc=com) to be able to access ONLY the
> > people listed in that group
> > (group/OrganizationalRole/memberUid((cn=groupname,ou=group,dc=example,dc=com))
> > and nobody else. The people listed in that group are the memberUid and
> > should match up to the complete dn as defined in
> > uid=<memberUid>,ou=people,dc=example,dc=com.
> > Tyler
> I'm sorry, I think I misunderstood what you wanted to accomplish. So you
> want the members of
> to have access to the accounts of all <memberUid>s of <groupname>?
> If that is even possible in that structure, I have no idea how to do it.
> Why don't you put the 'admin users' in a different attribute of the same
> group, without the 'cn=admin' child object? That way you could use a set
> or group ACL.