[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin roles by group membership per OU

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: Admin roles by group membership per OU
From: Ervin Hegedüs <airween@gmail.com>
Date: Mon, 16 Oct 2017 17:05:27 +0200
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=TicCPQ4f2/2lhTClf+wYPe4xuF+8ydy0tu8rVJgNOxc=; b=ka941HWdREwAgVlkJrzm9RPAHPTc6KN3rTiH4Eoxx+hxjdVI/ZEbFZdSsjEj2mpoYB Ylo3umZvJomVd6cSMPgOyw7hwuBKy2ytIo3J0qP1ReyxWtkDriq7+kYpMxjqRnL2UYaw op5jE0uML3wq1OKaJKt8LJoxEfttU+9tx704T0ZuvvYK5Gra9fANblzeRoCsVPzaP/Up F3LN91Cu3tvNF3fdKL3foUleyF5kKrxd30C0U12azcXPHk6Vx7rQiUp7caAzKYf7bDpF f5yAG9d7mx7PvRrFewIz1u0EjWSCGSXq4y7mL2a+0XGJA7Dvvch0Duzze65Cgtg2qZcB S8DQ==
In-reply-to: <CA63C67F317D0E55FF3B967F@[192.168.1.30]>
References: <1e3053aa-10c0-2e89-4ecf-78b196480abb@savoirfairelinux.com> <20171012153230.GA26702@arxnet.hu> <WM!3ea8ec7098d14925dc39d957afaad62f207f43d00b4c648f2f5d4f5322d8acfa9261435931a6075dbeba167726dc6c91!@mailstronghold-3.zmailcloud.com> <755C73DF70A5217978F6B6A1@[192.168.1.30]> <20171016084524.GA877@arxnet.hu> <WM!43703ab56969c2acf0985d6545b4c4a3f566ea9735fb004c659aeac0800d62dba608b595cdc34bd0efd7fc93a125415f!@mailstronghold-1.zmailcloud.com> <583A73A35E7B9CE7720F7A3E@[192.168.1.30]> <20171016145543.GA31952@arxnet.hu> <WM!06ea65eea1dcb087206701e22b77d5ad04e2af551fca59e3cb00b5f379519dc31175976356f089d6f2ce91adaf043de9!@mailstronghold-3.zmailcloud.com> <CA63C67F317D0E55FF3B967F@[192.168.1.30]>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi Quanah,

On Mon, Oct 16, 2017 at 07:58:45AM -0700, Quanah Gibson-Mount wrote:
> --On Monday, October 16, 2017 5:55 PM +0200 Ervin Hegedüs
> <airween@gmail.com> wrote:
> 
> 
> >without any real testing, I'm afraid that the rule{0} gives the
> >write access to cn=groupabcadmin to _all_ db, not just the ou=ABC
> >Cumstomer subtree.
> >
> >Em I right?
> 
> Hm, yes, that's correct.  You'll need to do something like utilize by *
> break appropriately, or have multiple "access to userPassword" ACLs by
> group, then a catchall after that.

I'm sorry - could you give me an example?

I just started to use the LDAP acl since few days... :)

I don't belive that this need is generated first time, but I
don't found any example, or case-study.



Thanks again,


a.

References:
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Admin roles by group membership per OU
Next by Date: Re: Admin roles by group membership per OU
Index(es):
- Chronological
- Thread