[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control, groups/organizationalRole

"Dieter Kluenter" <dieter@dkluenter.de> writes:

> Frederik Bosch <frederik.bosch@gmail.com> writes:
>>  Unfortunately. I can't get it working. Thanks again though! I am
>> still not able to read, only auth/bind.
>> Suppose I have the following setup.
>> dn= cn=Role Example 1,o=Organization
>> objectClass: organizationalRole
>> cn: Role Example
>> roleOccupant: uid=webmaster@example.com,ou=Partners,o=Organization
>> roleOccupant: uid=admin@example.com,ou=Partners,o=Organization
>> roleOccupant: uid=root@example.com,ou=Partners,o=Organization
>> dn= cn=Role Example 2,o=Organization
>> objectClass: organizationalRole
>> cn: Role Example 2
>> roleOccupant: uid=webmaster@example.co.uk,ou=Other,o=Organization
>> roleOccupant: uid=admin@example.co.uk,ou=Other,o=Organization
>> roleOccupant: uid=root@example.co.uk,ou=Other,o=Organization
>> dn= cn=Role Example N,o=Organization
>> objectClass: organizationalRole
>> cn: Role Example N
>> roleOccupant: uid=xx,ou=Misc,o=Organization
>> roleOccupant: uid=yy,ou=Misc,o=Organization
>> roleOccupant: uid=zz,ou=Misc,o=Organization
>> Now I want assign read access to the complete LDAP tree for all
>> occupants of a organizationalRole.
> something like
> access to dn.subtree="o=organization
>        by
>        group/organizationalRole/roleOccupant.expand="^cn=[^,]+,ou=[^,]+,o=organization$"
>        read
> you may check with slapd in debugging mode -d acl
> and read man slapd.access(5) for more examples.

Another experimental approach would  be sets and uri expansion.
something like this untested example

access to dn.subtree="o=organization"
by set.expand="[ldap:///o=organization??sub?objectclass=organizationalRole]/roleOccupant";


Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de