[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with ACL's



Not a bad idea although its not as visually logical as I would like it
to be and I'm not sure if unix/linux would misinterpret them as group
members. Something to work with though, thanks.

  Tyler

On Thu, 04 Jun 2009 16:09:37 +0200
Christian Manal <moenoel@informatik.uni-bremen.de> wrote:

> Tyler Gates wrote:
> >> Tyler Gates wrote:
> >>> Hello,
> >>>    I'm having a hard time setting some ACL's for my particular setup. I
> >>> have a structure as follows: dn: uid=*,ou=people,dc=example,dc=com #
> >>> uid contains several unix/linux user ids dn:
> >>> cn=*,ou=groups,dc=example,dc=com # cn contains several unix/linux
> >>> groups. uid's (not the complete dn) are supplied to the memberUid fields
> >>>
> >>> What I would like to do is place an organizationalRole in each group
> >>> and have ACL's setup so that it's uniqueMembers have access to certain
> >>> attrs (say for example sn) for the uid's (which correspond to those in
> >>> ou=people) specified in the memberUid fields of the group in which the
> >>> organizationalRole is placed.
> >>>
> >>> psuedo code would be something as follows:
> >>>
> >>> access to
> >>> group/posixAccount/memberUid.regex("cn=(.*),ou=groups,dc=example,dc=com")
> >>> attrs sn by
> >>> group/organizationalRole/uniqueMembers/.regex("cn=admin,cn=$1,ou=groups,dc=example,dc=com")
> >>> write
> >>>
> >>> Thanks,
> >>>     Tyler
> >>>
> >> Hi,
> >>
> >> you can use sets for this:
> >>
> >>     access to dn.regex="^(cn=[^,]+,ou=groups,dc=example,dc=com)$"
> >>     attrs="sn"
> >>        by set.expand="[cn=admin,$1]/memberUid & user/uid" write
> >>
> >>
> >> Regards,
> >> Christian
> >>
> > 
> > 
> > Hi Christian,
> >     I think I get the set's but that ACL doesn't work, and I'm not sure
> > if regex's or set's will even do the job. A conditional statement if
> > possible may be the only way.  Again I'm looking for members of an
> > organizational role
> > (cn=admin,cn=groupname,ou=group,dc=example,dc=com) placed in a group
> > (cn=groupname,ou=group,dc=example,dc=com) to be able to access ONLY the
> > people listed in that group
> > (group/OrganizationalRole/memberUid((cn=groupname,ou=group,dc=example,dc=com))
> > and nobody else. The people listed in that group are the memberUid and
> > should match up to the complete dn as defined in
> > uid=<memberUid>,ou=people,dc=example,dc=com.
> > 
> > 
> >  Tyler
> > 
> 
> I'm sorry, I think I misunderstood what you wanted to accomplish. So you
> want the members of
> 
> 	'cn=admin,cn=<groupname>,ou=group,...'
> 
> to have access to the accounts of all <memberUid>s of <groupname>?
> 
> 	'uid=<memberUid>,ou=people,...'
> 
> If that is even possible in that structure, I have no idea how to do it.
> Why don't you put the 'admin users' in a different attribute of the same
> group, without the 'cn=admin' child object? That way you could use a set
> or group ACL.
> 
> 
> Regards,
> Christian
>