[Date Prev][Date Next] [Chronological] [Thread] [Top]

Lazy ACLs and keeping your DIT as flat as possible

Hi All,

I'm pretty sure that this isn't possible, but wanted to check as my
head hurts now.

I have dynamic lists using slapo-dynlist with the Organization
attribute of 'o' and I am trying to keep my DIT as flat as possible.

I want to create an ACL that is "by group", which is fine. But....I
don't want to hardcode a group.

I want to "capture" o via a regex and use that in the "by group" like so:

access to dn.subtree="ou=Users,dc=suretec,dc=co,dc=uk"
    by group.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk" read
    by self write

or something like the following using a previous capture:

access to filter=(&(objectClass=inetOrgPerson)(o=$1))
    by group/groupOfURLs/memberURL.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk"
    by self write
    by * none

Issue is you can't pass captures between "access by" statements and my
ACLs are flawed based on what you're searching for, which would be
perfect. The goal being users in the same group can only see users on
ou=Users of that group, with out hard coding group name in the conf.

I guess I'll have to create branches to split up users. Then again,
I'm adding a group to ou=Groups, why shouldn't I at the same time add
a new ACL via cn=config?


Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretec.co.uk

Open Source. Open Solutions(tm).


Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.

Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

Do you know we have our own VoIP provider called SureVoIP? See

Did you see our API? http://www.surevoip.co.uk/api