Am Wed, 21 Aug 2019 10:50:19 +0200 schrieb Ondřej Kuzník ondra@mistotebe.net:
On Tue, Aug 20, 2019 at 10:22:56PM +0200, Martin W. wrote:
Dear OpenLDAP technical list,
I‘ve been running into a little problem with my permission structures – and was wondering if you could help me with it.
I want the members of a group to administer a tree structure, the group is member of it. I've tried some acl settings – I'll post my trials below the basic structure.
I've tried some different things ... and none Regex was successful :( Since I'll post some fragments, I put every LDIF fragment within such a bash fragment:
olcAccess: to * by self write by dn="cn=admin,dc=example,dc=com" write by set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" write by users read by * none
trial 1
olcAccess: to dn.regex="([^,]+,)?o=([^,]+),ou=entities,dc=example,dc=com" by self write by dn="cn=admin,dc=example,dc=com" write by set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" write by set.expand="[cn=admin,o=$2,ou=entities,dc=example,dc=com]/member* & user" write by set="this/member* & user" read by * none
The result is, that admin and any member of ldapadminscan edit, the members of specific entity admin subgroups cannot edit. The specific admin subgroups cannot even see the entities subtree.
Hi Martin, what is the order of the above two olcAccess statements? If they apply in the order above, it seems the first one will always apply and processing will stop there. In that case you either want to add a "break" in the first one or split/move it to be checked later.
I assume you also know and use the slapacl tool (and loglevel acl) to test with? Does it show any additional information that might be helpful in diagnosing the issue?
With regard to 'set' here is some basic information. http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1134.html
-Dieter