Wilhelm Meier wilhelm.meier@fh-kl.de writes:
Am Montag 27 Oktober 2008 schrieb Pierangelo Masarati:
Wilhelm Meier wrote:
I don't see how to make this work with the rwm-overlay or some sort of acls. But I'm sure, I missed something ...
You probably didn't read slapd.access(5) where it discusses the "filter" form of the <what> clause.
Thank you for this advice, but it doesn't fully solve the problem:
access to attrs=userPassword,shadowLastChange dn.regex="uid=([^,]+),ou=Benutzer,dc=kmux,dc=de" filter="gidNumber=998" by dn="cn=admin,dc=kmux,dc=de" write by anonymous auth by self write by * none
This limits the authentication to users whose posix primary (!) group hat the gid-number 998 (the dn.regex in the example above isn't needed).
But that's not the whole story. We want to grant access also to those users with one of their secondary (!) posix groups is some special group, e.g. cn=archiv,ou=gruppen,dc=kmux.dc=de
So it must be possible to search for an object of objectclass=posixGroup with the attribute memberUid=<uid>, where <uid> is the value of the uid-attribute of the user, who tries to bind to the slapd. If this search returns one (or more) results, the user should be authenticated.
This approach can be solved by sets. http://www.openldap.org/faq/data/cache/1133.htm An search the mail archive, there can be found numerous examples.
-Dieter