Tim Watts wrote: > Sorry - this is probably very basic, but I cannot get my head around how to > write an ACL that prevents "auth" unless the user's employeeType attribute is in > a particular list (or NOT in a shorter list). > > I have a slapd config line: > > constraint_attribute employeeType regex > ^(Staff|External|MA|PhD|Intern|System|Archive|Delete)$ > > > However, I'd like to limit the ability to bind (auth) to those users whose > employeeType is NOT [regex ^(Archive|Delete)$] # some entries matching filter access to attrs=userPassword filter=(!(employeeType=Archive)(employeeType=Delete)) by ..some who clauses for setting password by * auth # all other entries access to attrs=userPassword by * none The second ACL is important! > Current ACLs are fairly simple: > > access to dn.base="" by * read > > access to attrs=userPassword > by peername.path="/var/run/slapd/ldapi" manage ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This is somewhat dangerous because it gives any process which has write access to the LDAPI socket *manage* rights. I'd recommend not to do that. Rather use authz-regexp mappings to explicitly map certain OS accounts to real LDAP entries. > by set="user/uid & > [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" manage Set-ACLs are slow. I'd recommend to use groupOfNames entries to achieve this. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature