[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to allow all but one OU



On 07/27/2015 01:16 PM, Olaf Hopp wrote:
Hi listers,

I have ~40 departments in several ou's and I need an ACL to allow
access for one user to all but one OU.


I do not want to forbid that ou in question and thus implicitly allowing all the others.
I want to formulate this explicitly, so I can directly see what is allowed.

Moreover the names of the ou's are very similar to each other, something like:
ou=aaaa,dc=...
ou=abaa,dc=...
ou=bbaa,dc=...
ou=bbbb,dc=...

and suppose I want to disallow access to the ou=abaa.


I ended up with two ACLs:
the first one to forbid ou=abaa:

access to dn.sub=ou=abaa,dc=.... \
           attrs=entry
                 by dn=uid=foo,dc=.... none
                 by * break

and then allowing access to all ou's with

access to dn.regex=ou=[^,]+,dc=... \
           attrs=....
                 by dn=uid=foo,dc=...
                 by * break


Is it possible to formulate this with just one ACL ?
I tried something like "ou=!abaa" with just the second ACL but failed.

Then I tried ou=[^a][^b][^a][^a]
but this matches also the ou=bbbb to wich the uid=foo should have access.


Let me answer this question by myself for completeness:

use a filter is the answer:
               filter=(!(ou:dn:=abaa))
in my example above does the trick.

Regards, Olaf

--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp@kit.edu
atis.informatik.kit.edu

www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature