[Date Prev][Date Next]
restricting access *to* entries by a group member
- To: firstname.lastname@example.org
- Subject: restricting access *to* entries by a group member
- From: Elan Ruusamäe <email@example.com>
- Date: Fri, 16 Nov 2012 22:08:11 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=w9L95ElR3sfplM5HUN/3Uj2rwWY4rr87u69O1TUSsKE=; b=hid+/PXl5G54tl/Z5q4rQS0zSCYe3wEUiCTJGQ+MQpOQ68Y0I5v64YYBofLOU1wpJY rEXYYXKHuVR5E193v+Am8ivfIYAD1dLdz6ekVNpESvDWLiGSDggNgsU/sHnvqKHdguNB AMXRnXTv9Fj2NhbYySXuO32vzk8tff+dVltIA0VdZChl1QnmFDXmUuEyPmuzaA0DmrAq xRE0uB5lltzY7ayuSmW3th08MJwnWdMJatBHg+1spSbwScFmEXU5MMas+O24P3UkgCea bcXt552H9rXCXXEGg+u1I8MJ7bQU2xRADp4mtoxBafbU6CzSgyz5K+HgY+bt2E9pjrc/ pgpw==
the goal is to make some users hidden from part of the ldap tree from Apache,
as Apache mod_ldap requires only one entry to be returned for
anonymous search it performs.
there can be duplicates in the same ldap directory, like, for example
there's another uid=glen present
the tree looks like this:
+- cn=Hidden Users
+- member: uid=glen,ou=People,dc=example,dc=net
in what ou=Basement,ou=People,dc=example,dc=net is filled by "database ldap",
and it causes duplicate uid entries in the directory (unavoidable)
so far i have just static acl that is working:
access to dn.regex="uid=(glen|somebody-else),ou=People,dc=delfi,dc=net"
by anonymous =rcxd
it would be better if that can be done by dynamic group lookup via acl.
as i see it, there shoould be acl stating if access to
uid=.+,ou=People,dc=example,dc=net is attempted,
it is checked first that it is not "member" of cn=Hidden
and if it's member, access to entry is denied. however i'm unable to
complete such acl rule
i have read manual, and tried to experiment, but i can't make up such
dynamic configuration. any help from the list?