[Date Prev][Date Next]
Re: ACLs based on attributes?
Quoting Quanah Gibson-Mount <email@example.com>:
Unfortunately sets aren't fully documented, so I can't say.
It's been a full decade since Mark Valence introduced us to sets,
which is sad, because it is said to be so useful. You know, I wouldn't
mind helping out with writing that documentation for the project... as
long I would have someone with enough knowledge of the subject to
I would note that I'd personally just create a group for the IT
managers, and then do access based off the group...
Sure, but since this is actually a purely theoretical question, that
would be missing the point. An old friend of mine from NIU, a
directory specialist who works with eDir (and MAD, which he doesn't
think much of), inspired me. He doesn't know much about OpenLDAP, but
he has seen some things and it was this particular bit of
functionality that made a lasting impression on him. He believes it's
a technical advantage that OpenLDAP has over the competition. I
imagine that it would scratch an itch that he is currently unable to
Anyway, these are my current ACLs in full (using Kerberos for authentication):
access to attrs=userPassword,shadowLastChange
by * none
access to dn.base="" by * read
access to attrs=loginShell
by self write
by * read
access to attrs=telephoneNumber
by set.exact="user/title=telephonemanager" write
#access to attrs=telephoneNumber
# by dn=uid=tmgr,ou=users,dc=example,dc=com write
access to *
by anonymous auth
by users read
by * none
Using the above ACLs and uid=tmgr, which has "title:
telephonemanager", if I attempt to modify the telephoneNumber of
another user, I receive the error:
ldap_modify: Insufficient access (50)
However, if I uncomment the second to last access directive and
comment out the one above it, then I can make that same modification
without any problem.
If you or anyone else has an idea what might be preventing this "set"
filter from working, I'd be much obliged.