Hello,
I had a look at the OpenLDAP docs and it looks like it isn't possible to define access based on an attribute value of a bound user. Is this correct?
I use slapd version 2.4.9 (Debian/Linux).
Vladimir Dzhuvinov wrote:
Hello,
I had a look at the OpenLDAP docs and it looks like it isn't possible to define access based on an attribute value of a bound user. Is this correct?
See http://www.openldap.org/faq/data/cache/1133.html.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando@sys-net.it -----------------------------------
Hi,
Vladimir Dzhuvinov vd@valan.net writes:
Hello,
I had a look at the OpenLDAP docs and it looks like it isn't possible to define access based on an attribute value of a bound user. Is this correct?
I use slapd version 2.4.9 (Debian/Linux).
This is possible by defining sets http://www.openldap.org/faq/data/cache/1133.html
something like access to dn.regex="cn=([^,]),dc=example,dc=com$" by set.regex="[cn=$1,dc=example,dc=com /attribute type & [attribute value]"
-Dieter
Thank you both for your answers!
I didn't expect that "sets" was the solution to allowing access to users with a specific attribute value in their entry.
In my particular case I wanted to allow access only by users with their attribute "transactionCenterRole" set to "admin". Here is the actual statement that got me what I want:
access to filter=(objectClass=transactionCenterUser) by set="user/transactionCenterRole & [admin]" write by * read
Vladimir
openldap-software@openldap.org
-
Dieter Kluenter -
Pierangelo Masarati -
Vladimir Dzhuvinov