Hi Michael, On Sat, 14 Dec 2013, Michael Ströder wrote: > HI! > > I used this FAQ entry to use set-based ACLs for my current task: > > http://www.openldap.org/faq/data/cache/1133.html > > There's written: > > "We could make this more powerful (and more complex and costly to compute) > by allowing base sets to be built from LDAP filters. This is something to > consider, because the combination of filters and sets (which have little > overlap in what they can express) is very powerful. This is partially provided > by the URI expansion capability." > > Was this ever implemented? It would be helpful. IMO using 'this' and/or 'user' > in [ldap://] sets would make evaluating the set-based <who> clause faster if > attributes used in LDAP URLs are properly indexed. > > Background: > My aim is to configure Linux clients all the same (search base, filter etc.) > but let each *machine* individually authenticate against OpenLDAP server. > Then only the users who are members of groups with login rights on this > particular server should be visible to the Linux client. > So the goal is to filter user/groups at the OpenLDAP server and *not* in the > Linux client (e.g. by sssd configuration or similar). > For now it seems only possible to do this with set-based ACLs given all the > requirements I have. I needed to restrict users seen be a spefic application to users that are member in the respective applications group. I cheated by not checking the group but the memberOf: attribute in the entries I intended to filter. olcAccess: to dn.children="dc=example,dc=org" filter="(memberOf=cn=application1-group,ou=groups,dc=example,dc=org)" by dn.base="cn=application1-user,ou=system,dc=example,dc=org" read olcAccess: to dn.children="dc=example,dc=org" filter="(memberOf=cn=application2-group,ou=groups,dc=example,dc=org)" by dn.base="cn=application2-user,ou=system,dc=example,dc=org" read olcAccess: to dn.children="dc=example,dc=org" filter="(memberOf=cn=application3-group,ou=groups,dc=example,dc=org)" by dn.base="cn=application3-user,ou=system,dc=example,dc=org" read The performance implictations of these kind of acl should be ok from my understanding as they only apply to the specific applications user.