Em Sáb, 2007-09-15 às 00:45 +0200, Pierangelo Masarati escreveu:
Andreas Hasenack wrote:
Now I want to be able to use nested groups, so I follow the FAQ and do a test with sets:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$" attrs=children,entry,@sudoRole by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*" write by * read
Without changing anything in the sudo admins group entry, suddenly I can create new entries under ou=sudoers as any authenticated user. That is, the group still only has the "uid=sudo admin" member, but I can add a new sudo entry as another user:
That's because sets grant permission as soon as the result of their evaluation is a non-empty set, and yours will always be non-empty.
Ah, right, that was the missing piece.
You need to check whether the intersection between the nested group expansion and the user is not empty. Something like [any newlines added by the mailer]:
by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* & user" write
should work.
Worked just fine, thanks!