[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs based on attributes?

Quoting Quanah Gibson-Mount <quanah@zimbra.com>:

Unfortunately sets aren't fully documented, so I can't say.

It's been a full decade since Mark Valence introduced us to sets, which is sad, because it is said to be so useful. You know, I wouldn't mind helping out with writing that documentation for the project... as long I would have someone with enough knowledge of the subject to collaborate with.

I would note that I'd personally just create a group for the IT
managers, and then do access based off the group...

Sure, but since this is actually a purely theoretical question, that would be missing the point. An old friend of mine from NIU, a directory specialist who works with eDir (and MAD, which he doesn't think much of), inspired me. He doesn't know much about OpenLDAP, but he has seen some things and it was this particular bit of functionality that made a lasting impression on him. He believes it's a technical advantage that OpenLDAP has over the competition. I imagine that it would scratch an itch that he is currently unable to reach.

Anyway, these are my current ACLs in full (using Kerberos for authentication):

   access to attrs=userPassword,shadowLastChange
        by * none

   access to dn.base="" by * read

   access to attrs=loginShell
        by self write
        by * read

   access to attrs=telephoneNumber
       by set.exact="user/title=telephonemanager" write

   #access to attrs=telephoneNumber
   #       by dn=uid=tmgr,ou=users,dc=example,dc=com write

   access to *
        by anonymous auth
        by users read
        by * none

Using the above ACLs and uid=tmgr, which has "title: telephonemanager", if I attempt to modify the telephoneNumber of another user, I receive the error:

   ldap_modify: Insufficient access (50)

However, if I uncomment the second to last access directive and comment out the one above it, then I can make that same modification without any problem.

If you or anyone else has an idea what might be preventing this "set" filter from working, I'd be much obliged.