[Date Prev][Date Next]
Lazy ACLs and keeping your DIT as flat as possible
I'm pretty sure that this isn't possible, but wanted to check as my
head hurts now.
I have dynamic lists using slapo-dynlist with the Organization
attribute of 'o' and I am trying to keep my DIT as flat as possible.
I want to create an ACL that is "by group", which is fine. But....I
don't want to hardcode a group.
I want to "capture" o via a regex and use that in the "by group" like so:
access to dn.subtree="ou=Users,dc=suretec,dc=co,dc=uk"
by group.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk" read
by self write
or something like the following using a previous capture:
access to filter=(&(objectClass=inetOrgPerson)(o=$1))
by self write
by * none
Issue is you can't pass captures between "access by" statements and my
ACLs are flawed based on what you're searching for, which would be
perfect. The goal being users in the same group can only see users on
ou=Users of that group, with out hard coding group name in the conf.
I guess I'll have to create branches to split up users. Then again,
I'm adding a group to ou=Groups, why shouldn't I at the same time add
a new ACL via cn=config?
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
Open Source. Open Solutions(tm).
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
Did you see our API? http://www.surevoip.co.uk/api