[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Recursive ACL entries (group member of group)

On 16/11/2009 12:08, Jan Fricke wrote:

This can be acheived using ACL sets. There is in fact an example of
exactly this use case in the admin guide!
http://www.openldap.org/doc/admin24/access-control.html#Sets -
Granting rights based on relationships

It is noted in the documentation that sets are experimental. Just to add
a word onto that, I use sets in several production environments, and
have absolutely no stability problems.

However, depending on the sets you use, the performance hit can be
important (sets can fire off thousands of search requests just to
evaluate one ACL, if they're badly written). Also, ACLs with sets are
not cached.

Hope this helps,

Thanks a lot!
This should work. But unfortunately it does not :-(

My ACL looks like this now:

access to dn.sub="ou=agents,dc=myDomain"
         by set="[cn=UserManagement,ou=rights,dc=myDomain]/member*" write
         by self read

is a member of
which is a member of

Test has write access to all other agents. But he still has the right
when I remove cn=supervisor... from the Usermanagement group.

Any idea why? How can I debug ACLs? Is it possible so print infos or do
something like setting breakpoints?

Yes. Use loglevel acl (or 128) and you will see extensive information about ACL interpretation.

Of course, if your user still has right access when the ACL you pasted doesn't give it to him, it is probably because this access is granted by a previous ACL. Remember that ACLs are a list, and the first rule to match a target will win.


Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org