Thank you, Andrew, for that clear example and explanation. I have successfully implemented this now.
Regards
Philip
On 30 January 2013 08:00, Andrew Findlay andrew.findlay@skills-1st.co.ukwrote:
On Thu, Jan 24, 2013 at 12:22:18PM +0000, Philip Colmer wrote:
What I want/need to be able to do is for LDAP to read the DN of the
group that
has permission, in the same what that it does with dnattr. I thought
that I had
read something about this being possible with sets, but slapd.access
says that
"The statement set=<pattern> is undocumented yet." so I'm not clear if
that is
the most appropriate way to proceed.
Can someone please advise on how this might be accomplished?
Sets are indeed the answer. The documentation only exists in the OpenLDAP FAQ-o-matic at present, but you need something like this:
access to dn.sub="ou=groups,dc=example,dc=com" by set="this/manager/member & user" write by users read by * none
That ACL would give write access to members of any group whose DN is listed in the "manager" attribute.
The basic idea is that "this/manager/member" produces a set of DNs, "user" produces a set containing the DN of the bound user, and "&" generates the intersection of the two sets. If the result is a non-empty set then the "by" clause applies.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |