On Mon, Jan 16, 2017 at 03:21:41PM +0000, Philip Colmer wrote:
to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by set="this/ owner/member & user" write by users none by * none
Is there a way of performing an LDAP search that does the equivalent of the ACL (or something like it) to tell me which groups can be written to for a given DN?
I don't think you will be able to do that in a single LDAP operation on a standard server. The most efficient way is probably:
Search for all groups that the user is a member of, returning just the DN
Search for all groups where any of those DNs are found in the owner attribute
Beware though, that if some users are members of very large numbers of groups then the search assertion could be very large...
If you have the memberof overlay then you may be able to simplify the process by having it maintain an 'ownerOf' attribute in the group entries. Then you could get what you want in a single search:
Match: (&(objectclass=groupOfNames)(member=<user DN>)) Return: ownerOf attribute
This may return multiple entries. You just need to gather up all the ownerOf values. To be really cute you could add the dynlist overlay to do this for you...
Andrew