[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd ACL - limit bind to employeeType=<various>

To: Tim Watts <tim.j.watts@kcl.ac.uk>
Subject: Re: slapd ACL - limit bind to employeeType=<various>
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 12 Apr 2016 11:54:02 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <570CC1DA.2070407@kcl.ac.uk>
References: <570ACD82.5070000@kcl.ac.uk> <f9a748d036b34a9290d70b247049f210@AM4PR03MB1682.eurprd03.prod.outlook.com> <570CC1DA.2070407@kcl.ac.uk>
User-agent: Roundcube Webmail/1.1.4

On 2016-04-12 11:37, Tim Watts wrote:

Sir, you are a genius :)

On 11/04/16 07:31, Michael Ströder wrote:

# some entries matching filter
access to
   attrs=userPassword
   filter=(!(employeeType=Archive)(employeeType=Delete))
     by ..some who clauses for setting password
     by * auth

# all other entries
access to
   attrs=userPassword
     by * none


Very slight tweak to the syntax


Ah yes, filter was wrong.

(with huge thanks - I would not have
guessed this was the required technique - I was concentrating on
finding an "auth" ACL when I was googling.)


Writing OpenLDAP ACLs is a bit like functional
programming - at least to what I vaguely remember
from my time at University many years ago.

I'd recommend to look into the OpenLDAP FAQ to
find some more not so obvious examples.

Ciao, Michael.

References:
- slapd ACL - limit bind to employeeType=<various>
  - From: Tim Watts <tim.j.watts@kcl.ac.uk>
- Re: slapd ACL - limit bind to employeeType=<various>
  - From: Tim Watts <tim.j.watts@kcl.ac.uk>

Prev by Date: Re: slapd ACL - limit bind to employeeType=<various>
Next by Date: Re: slapd ACL - limit bind to employeeType=<various>
Index(es):
- Chronological
- Thread