[ This is a very old thread you are resurrecting! ]
On Fri, Sep 09, 2016 at 01:51:47PM +0300, Zeus Panchenko wrote:
I have two posixGroup groups
cn=admins,ou=group,dc=foo cn=coadmins,ou=group,dc=foo
my users resides in ou=People,dc=foo
so, in subtree ou=People,dc=foo I need to allow anything to admins (and it is not difficult of course)
for example this works for me:
access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * break
but in addition I need to allow my coadmins to do the same things except manipulations upon the objects which belong to admins ( ...anyobject,uid=adminuser,ou=People,dc=foo )
so, the question is: how? (if it is possible at all) :(
It depends partly on why the ACI ends with 'by * break'. What other rules could be applied in that case?
In the simple case where 'by * none' would have the same effect, you could just put another ACI ahead of the one above so it comes out like this:
access to <expression matching the admin user DNs> by self write by users read by * none
access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * none
The problem is to write the '<expression matching the admin user DNs>'. That would probably be easier if you were not defining admin users by their UID in a Posix group. Ideally there would be an attribute visible in each entry that defines admin status, as then you could just key on that. If your admin group is defined as a standard DN-based groupOfNames then you could use the memberof overlay to reflect membership into an attribute of the user entry.
Andrew