Andrew Findlay wrote: > On Mon, Jan 16, 2017 at 03:21:41PM +0000, Philip Colmer wrote: > >> to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by set="this/ >> owner/member & user" write by users none by * none > >> Is there a way of performing an LDAP search that does the equivalent of the ACL >> (or something like it) to tell me which groups can be written to for a given >> DN? > > I don't think you will be able to do that in a single LDAP operation on a standard > server. The most efficient way is probably: > > Search for all groups that the user is a member of, returning just the DN > > Search for all groups where any of those DNs are found in the owner attribute > > Beware though, that if some users are members of very large numbers of groups then the > search assertion could be very large... > > If you have the memberof overlay then you may be able to simplify the process > by having it maintain an 'ownerOf' attribute in the group entries. Then you could get > what you want in a single search: > > Match: (&(objectclass=groupOfNames)(member=<user DN>)) > Return: ownerOf attribute > > This may return multiple entries. You just need to gather up all the ownerOf values. > To be really cute you could add the dynlist overlay to do this for you... One DN reference level in search results can also be covered by using slapo-deref (provided the LDAP clients also supports using that extended control). Using dereferenced attribute values as assertion values in filters does not work. So together with slapo-memberof maintaining an 'ownerOf' attribute this could be achieved with one search operation. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature