On Thu, Jan 24, 2013 at 12:22:18PM +0000, Philip Colmer wrote:
What I want/need to be able to do is for LDAP to read the DN of the group that has permission, in the same what that it does with dnattr. I thought that I had read something about this being possible with sets, but slapd.access says that "The statement set=<pattern> is undocumented yet." so I'm not clear if that is the most appropriate way to proceed.
Can someone please advise on how this might be accomplished?
Sets are indeed the answer. The documentation only exists in the OpenLDAP FAQ-o-matic at present, but you need something like this:
access to dn.sub="ou=groups,dc=example,dc=com" by set="this/manager/member & user" write by users read by * none
That ACL would give write access to members of any group whose DN is listed in the "manager" attribute.
The basic idea is that "this/manager/member" produces a set of DNs, "user" produces a set containing the DN of the bound user, and "&" generates the intersection of the two sets. If the result is a non-empty set then the "by" clause applies.
Andrew