Thank you, Andrew, for that clear example and explanation. I have successfully implemented this now.

Regards

Philip



On 30 January 2013 08:00, Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:
On Thu, Jan 24, 2013 at 12:22:18PM +0000, Philip Colmer wrote:

> What I want/need to be able to do is for LDAP to read the DN of the group that
> has permission, in the same what that it does with dnattr. I thought that I had
> read something about this being possible with sets, but slapd.access says that
> "The statement set=<pattern> is undocumented yet." so I'm not clear if that is
> the most appropriate way to proceed.
>
>
> Can someone please advise on how this might be accomplished?

Sets are indeed the answer. The documentation only exists in
the OpenLDAP FAQ-o-matic at present, but you need something
like this:

access to dn.sub="ou=groups,dc=example,dc=com"
        by set="this/manager/member & user" write
        by users read
        by * none

That ACL would give write access to members of any group whose
DN is listed in the "manager" attribute.

The basic idea is that "this/manager/member" produces a set of DNs,
"user" produces a set containing the DN of the bound user,
and "&" generates the intersection of the two sets.
If the result is a non-empty set then the "by" clause applies.

Andrew
--
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------