Tim Watts wrote:
> Sorry - this is probably very basic, but I cannot get my head around how to
> write an ACL that prevents "auth" unless the user's employeeType attribute is in
> a particular list (or NOT in a shorter list).
>
> I have a slapd config line:
>
> constraint_attribute employeeType regex
> ^(Staff|External|MA|PhD|Intern|System|Archive|Delete)$
>
>
> However, I'd like to limit the ability to bind (auth) to those users whose
> employeeType is NOT [regex ^(Archive|Delete)$]
# some entries matching filter
access to
attrs=userPassword
filter=(!(employeeType=Archive)(employeeType=Delete))
by ..some who clauses for setting password
by * auth
# all other entries
access to
attrs=userPassword
by * none
The second ACL is important!
> Current ACLs are fairly simple:
>
> access to dn.base="" by * read
>
> access to attrs=userPassword
> by peername.path="/var/run/slapd/ldapi" manage
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This is somewhat dangerous because it gives any process which has write access
to the LDAPI socket *manage* rights. I'd recommend not to do that. Rather use
authz-regexp mappings to explicitly map certain OS accounts to real LDAP entries.
> by set="user/uid &
> [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" manage
Set-ACLs are slow. I'd recommend to use groupOfNames entries to achieve this.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature