[Date Prev][Date Next]
idea for access rules #2
Have a subtree like this:
So this time, some child elements of a dataX-subtree are "owned" by
certain users. What I want: when a user (cn=me) traverses the LDAP
tree, (s)he should only see the dataX-subtrees with at least one
child owned by this user. For the example above, the user cn=me
should get read access to "ou=data1" and to "cn=fact2,ou=data1",
but he should NOT get read access to ou=data2 and its children.
Specifying the access to the "cn=factX" entries is already solved,
now the only problem is to deny access to some of the "ou=dataX"
My current idea is something like this:
by set.expand="([ldap://127.0.0.1?base=$1?scope=sub]/owner) & user"
which should find all entries in a dataX subtree, collect their owners
and "compare" them with the current user.
But this does not look "nice" to me because of the additional required
LDAP search. Is there a more straightforward solution for this?
If not: is this search operation really EXECUTED? Which bind DN is used
to execute the search? The "current" one? I guess, to find the search
results for the LDAP query all access rules for the current user apply?
Thanks and regards