Frederik Bosch frederik.bosch@gmail.com writes:
Unfortunately. I can't get it working. Thanks again though! I am still not able to read, only auth/bind. Suppose I have the following setup.
dn= cn=Role Example 1,o=Organization objectClass: organizationalRole cn: Role Example roleOccupant: uid=webmaster@example.com,ou=Partners,o=Organization roleOccupant: uid=admin@example.com,ou=Partners,o=Organization roleOccupant: uid=root@example.com,ou=Partners,o=Organization
dn= cn=Role Example 2,o=Organization objectClass: organizationalRole cn: Role Example 2 roleOccupant: uid=webmaster@example.co.uk,ou=Other,o=Organization roleOccupant: uid=admin@example.co.uk,ou=Other,o=Organization roleOccupant: uid=root@example.co.uk,ou=Other,o=Organization
dn= cn=Role Example N,o=Organization objectClass: organizationalRole cn: Role Example N roleOccupant: uid=xx,ou=Misc,o=Organization roleOccupant: uid=yy,ou=Misc,o=Organization roleOccupant: uid=zz,ou=Misc,o=Organization
Now I want assign read access to the complete LDAP tree for all occupants of a organizationalRole.
something like access to dn.subtree="o=organization by group/organizationalRole/roleOccupant.expand="^cn=[^,]+,ou=[^,]+,o=organization$" read you may check with slapd in debugging mode -d acl and read man slapd.access(5) for more examples.
-Dieter
Op 26-8-2010 11:22, Frederik Bosch schreef:
By the way. This seems to be correct syntax, but does not give me the correct result.
access to attrs=uid,userPassword by anonymous auth by * none
access to * by group/organizationalRole/roleOccupant.regex=".+" read by * none
I am able to bind, but not to read the tree.
Frederik
Op 26-8-2010 10:47, Frederik Bosch schreef:
Thanks again Dieter. That looks way to difficult for me :). I changed some things. Now suppose that I want to assign read access to every roleOccupant in a organizationalRole.
access to * by group/organizationalRole/roleOccupant readBut that's not correct syntax. Slapd won't start. It has to be like this:
access to * by group/organizationalRole/roleOccupant="<DN>" readWhat syntax do I need to let "<DN>" match the whole tree?
Thanks for the help, Frederik
Op 25-8-2010 14:36, Frederik Bosch schreef:
That's not what I mean, but thanks for your suggestion.
Let me try to rephrase. Suppose I have an organizationalRole located in Amsterdam and Rotterdam. Now I only want to assign rights to all occupants of the organizationalRole located in Amsterdam.
In xpath-like syntax, this would look like this.
access to * by group/organizationalRole[@location="Amsterdam"]/roleOccupant read
How do I need to rewrite this for slapd? Thanks,
Frederik
On 08/23/2010 06:03 PM, Frederik Bosch wrote:
Hello,
I am trying to setup an access control rule, but failed. All occupants of the objectClass organizationalRole which has a certain location may have read access. How do I setup this rule in slapd.conf?
This is my line at the moment. This matches the dn of the occupant. But how do I match the location attribute of the organizationalRole?
access to * by group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com"
read
Thanks in advance,
Frederik