[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd ACL - limit bind to employeeType=<various>

Hi,
Sorry - this is probably very basic, but I cannot get my head around how to write an ACL that prevents "auth" unless the user's employeeType attribute is in a particular list (or NOT in a shorter list). 

I have a slapd config line:
constraint_attribute employeeType regex ^(Staff|External|MA|PhD|Intern|System|Archive|Delete)$
However, I'd like to limit the ability to bind (auth) to those users whose employeeType is NOT [regex ^(Archive|Delete)$] 

or, less preferable, IS Staff|External|MA|PhD|Intern|System
At the moment I apply the constrain in pam-ldap, but that's not terribly elegant and of course does not work if apache2's mod_authnz_ldap checks directly with the LDAP server. 


Many thanks for pointers :)

Tim

PS

Current ACLs are fairly simple:

access to dn.base="" by * read

access to attrs=userPassword
        by peername.path="/var/run/slapd/ldapi" manage
by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" manage 
        by self write
        by * auth

# Certain attributes that should not be publically readable
access to attrs=bindTimestamp,modifyTimestamp,modifiersName,creatorsName,c reateTimestamp 
        by peername.path="/var/run/slapd/ldapi" manage
by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" manage 
        by self read
        by * none

--
Tim Watts                               Tel (VOIP): +44 (0)1580 848360
Systems Manager         Kings Digital Lab (KDL), King's College London
Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/