[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access control, groups/organizationalRole
Frederik Bosch <frederik.bosch@gmail.com> writes:
> Unfortunately. I can't get it working. Thanks again though! I am
> still not able to read, only auth/bind.
> Suppose I have the following setup.
>
> dn= cn=Role Example 1,o=Organization
> objectClass: organizationalRole
> cn: Role Example
> roleOccupant: uid=webmaster@example.com,ou=Partners,o=Organization
> roleOccupant: uid=admin@example.com,ou=Partners,o=Organization
> roleOccupant: uid=root@example.com,ou=Partners,o=Organization
>
> dn= cn=Role Example 2,o=Organization
> objectClass: organizationalRole
> cn: Role Example 2
> roleOccupant: uid=webmaster@example.co.uk,ou=Other,o=Organization
> roleOccupant: uid=admin@example.co.uk,ou=Other,o=Organization
> roleOccupant: uid=root@example.co.uk,ou=Other,o=Organization
>
> dn= cn=Role Example N,o=Organization
> objectClass: organizationalRole
> cn: Role Example N
> roleOccupant: uid=xx,ou=Misc,o=Organization
> roleOccupant: uid=yy,ou=Misc,o=Organization
> roleOccupant: uid=zz,ou=Misc,o=Organization
>
> Now I want assign read access to the complete LDAP tree for all
> occupants of a organizationalRole.
something like
access to dn.subtree="o=organization
by
group/organizationalRole/roleOccupant.expand="^cn=[^,]+,ou=[^,]+,o=organization$"
read
you may check with slapd in debugging mode -d acl
and read man slapd.access(5) for more examples.
-Dieter
>
> Op 26-8-2010 11:22, Frederik Bosch schreef:
>> By the way. This seems to be correct syntax, but does not give me
>> the correct result.
>>
>> access to attrs=uid,userPassword
>> by anonymous auth
>> by * none
>>
>> access to *
>> by group/organizationalRole/roleOccupant.regex=".+" read
>> by * none
>>
>> I am able to bind, but not to read the tree.
>>
>> Frederik
>>
>>
>>
>> Op 26-8-2010 10:47, Frederik Bosch schreef:
>>> Thanks again Dieter. That looks way to difficult for me :). I
>>> changed some things. Now suppose that I want to assign read access
>>> to every roleOccupant in a organizationalRole.
>>>
>>> access to * by group/organizationalRole/roleOccupant read
>>>
>>> But that's not correct syntax. Slapd won't start. It has to be like
>>> this:
>>>
>>> access to * by group/organizationalRole/roleOccupant="<DN>" read
>>>
>>> What syntax do I need to let "<DN>" match the whole tree?
>>>
>>> Thanks for the help,
>>> Frederik
>>>
>>>
>>> Op 25-8-2010 14:36, Frederik Bosch schreef:
>>>> That's not what I mean, but thanks for your suggestion.
>>>>
>>>> Let me try to rephrase. Suppose I have an organizationalRole
>>>> located in Amsterdam and Rotterdam. Now I only want to assign
>>>> rights to all occupants of the organizationalRole located in
>>>> Amsterdam.
>>>>
>>>> In xpath-like syntax, this would look like this.
>>>>
>>>> access to * by
>>>> group/organizationalRole[@location="Amsterdam"]/roleOccupant read
>>>>
>>>> How do I need to rewrite this for slapd?
>>>> Thanks,
>>>>
>>>> Frederik
>>>>
>>>>
>>>>
>>>> On 08/23/2010 06:03 PM, Frederik Bosch wrote:
>>>>> Hello,
>>>>>
>>>>> I am trying to setup an access control rule, but failed. All occupants
>>>>> of the objectClass organizationalRole which has a certain location may
>>>>> have read access. How do I setup this rule in slapd.conf?
>>>>>
>>>>> This is my line at the moment. This matches the dn of the
>>>>> occupant. But
>>>>> how do I match the location attribute of the organizationalRole?
>>>>>
>>>>> access to * by
>>>>> group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com"
>>>>>
>>>>> read
>>>>>
>>>>> Thanks in advance,
>>>>>
>>>>> Frederik
--
Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6