Andreas Hasenack wrote:
Now I want to be able to use nested groups, so I follow the FAQ and do a test with sets:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$" attrs=children,entry,@sudoRole by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*" write by * read
Without changing anything in the sudo admins group entry, suddenly I can create new entries under ou=sudoers as any authenticated user. That is, the group still only has the "uid=sudo admin" member, but I can add a new sudo entry as another user:
That's because sets grant permission as soon as the result of their evaluation is a non-empty set, and yours will always be non-empty.
You need to check whether the intersection between the nested group expansion and the user is not empty. Something like [any newlines added by the mailer]:
by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* & user" write
should work.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------