Andrew Findlay wrote:
On Mon, Jan 16, 2017 at 03:21:41PM +0000, Philip Colmer wrote:
to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by set="this/ owner/member & user" write by users none by * none
Is there a way of performing an LDAP search that does the equivalent of the ACL (or something like it) to tell me which groups can be written to for a given DN?
I don't think you will be able to do that in a single LDAP operation on a standard server. The most efficient way is probably:
Search for all groups that the user is a member of, returning just the DN
Search for all groups where any of those DNs are found in the owner attribute
Beware though, that if some users are members of very large numbers of groups then the search assertion could be very large...
If you have the memberof overlay then you may be able to simplify the process by having it maintain an 'ownerOf' attribute in the group entries. Then you could get what you want in a single search:
Match: (&(objectclass=groupOfNames)(member=<user DN>)) Return: ownerOf attribute
This may return multiple entries. You just need to gather up all the ownerOf values. To be really cute you could add the dynlist overlay to do this for you...
One DN reference level in search results can also be covered by using slapo-deref (provided the LDAP clients also supports using that extended control).
Using dereferenced attribute values as assertion values in filters does not work.
So together with slapo-memberof maintaining an 'ownerOf' attribute this could be achieved with one search operation.
Ciao, Michael.