Em Sex, 2007-09-14 às 14:07 -0300, Andreas Hasenack escreveu:
So why was "jsmith" allowed to create a new entry under ou=sudoers? He is not a member of any of the special groups, and I only changed the ACL line from "by group" to "by set".
This is the right ACL. At least, this one works for me: access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$" attrs=children,entry,@sudoRole by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* & user" write by * read
I was missing the "& user" part. And it works with nested groups now:
$ ldapsearch -x -LLL "cn=sudo admins" member dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com member: cn=Account Admins,ou=System Groups,dc=example,dc=com
$ ldapsearch -x -LLL "cn=account admins" member dn: cn=Account Admins,ou=System Groups,dc=example,dc=com member: uid=Account Admin,ou=System Accounts,dc=example,dc=com member: uid=jsmith,ou=people,dc=example,dc=com
And jsmith can create/change sudo entries: $ ldapadd -x -D uid=jsmith,ou=people,dc=example,dc=com -w jsmith < foo.ldif adding new entry "cn=iurt,ou=sudoers,dc=example,dc=com"
$