[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with ACL's



Tyler Gates wrote:
Tyler Gates wrote:
Hello,
   I'm having a hard time setting some ACL's for my particular setup. I
have a structure as follows: dn: uid=*,ou=people,dc=example,dc=com #
uid contains several unix/linux user ids dn:
cn=*,ou=groups,dc=example,dc=com # cn contains several unix/linux
groups. uid's (not the complete dn) are supplied to the memberUid fields

What I would like to do is place an organizationalRole in each group
and have ACL's setup so that it's uniqueMembers have access to certain
attrs (say for example sn) for the uid's (which correspond to those in
ou=people) specified in the memberUid fields of the group in which the
organizationalRole is placed.

psuedo code would be something as follows:

access to
group/posixAccount/memberUid.regex("cn=(.*),ou=groups,dc=example,dc=com")
attrs sn by
group/organizationalRole/uniqueMembers/.regex("cn=admin,cn=$1,ou=groups,dc=example,dc=com")
write

Thanks,
    Tyler

Hi,

you can use sets for this:

    access to dn.regex="^(cn=[^,]+,ou=groups,dc=example,dc=com)$"
    attrs="sn"
       by set.expand="[cn=admin,$1]/memberUid & user/uid" write


Regards,
Christian



Hi Christian,
    I think I get the set's but that ACL doesn't work, and I'm not sure
if regex's or set's will even do the job. A conditional statement if
possible may be the only way.  Again I'm looking for members of an
organizational role
(cn=admin,cn=groupname,ou=group,dc=example,dc=com) placed in a group
(cn=groupname,ou=group,dc=example,dc=com) to be able to access ONLY the
people listed in that group
(group/OrganizationalRole/memberUid((cn=groupname,ou=group,dc=example,dc=com))
and nobody else. The people listed in that group are the memberUid and
should match up to the complete dn as defined in
uid=<memberUid>,ou=people,dc=example,dc=com.


 Tyler


I'm sorry, I think I misunderstood what you wanted to accomplish. So you
want the members of

	'cn=admin,cn=<groupname>,ou=group,...'

to have access to the accounts of all <memberUid>s of <groupname>?

	'uid=<memberUid>,ou=people,...'

If that is even possible in that structure, I have no idea how to do it.
Why don't you put the 'admin users' in a different attribute of the same
group, without the 'cn=admin' child object? That way you could use a set
or group ACL.


Regards,
Christian