Fabrice Eudes wrote:
Pierangelo Masarati a écrit :
if access depends on values in the "who", use sets; in your case, something like
access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN & user" write
wow ! no chance I could find that on my own, especially because the slapd.access manpage says « The statement set=<pattern> is undocumented yet. » :-)
The only documentation is in http://www.openldap.org/faq/data/cache/1133.html.
should work (note: indentation has probably been destroyed by my mailer).
no, it doesn't work :-( precisely, in slapd.conf, I've added:
access to dn.children="ou=groupes,dc=domain" attrs=cn,description,memberUid,entry by dn="cn=adminLDAP,dc=domain" write by set="[ldap:///ou=personnes,dc=domain?1.1?sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN & user" write by users read
iremLillePerson = inetOrgPerson + groupesTravail(multi-valued) 1200 = value of the attribute for which I want to give write access.
when I give an explicit: by dn="cn=name,ou=personnes,dc=domain" instead of the set clause, it works.
My fault (and a bug in the code): remove the "1.1", leaving the "attrs" field of the URI empty.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------