"Dieter Kluenter" dieter@dkluenter.de writes:
Frederik Bosch frederik.bosch@gmail.com writes:
Unfortunately. I can't get it working. Thanks again though! I am still not able to read, only auth/bind. Suppose I have the following setup.
dn= cn=Role Example 1,o=Organization objectClass: organizationalRole cn: Role Example roleOccupant: uid=webmaster@example.com,ou=Partners,o=Organization roleOccupant: uid=admin@example.com,ou=Partners,o=Organization roleOccupant: uid=root@example.com,ou=Partners,o=Organization
dn= cn=Role Example 2,o=Organization objectClass: organizationalRole cn: Role Example 2 roleOccupant: uid=webmaster@example.co.uk,ou=Other,o=Organization roleOccupant: uid=admin@example.co.uk,ou=Other,o=Organization roleOccupant: uid=root@example.co.uk,ou=Other,o=Organization
dn= cn=Role Example N,o=Organization objectClass: organizationalRole cn: Role Example N roleOccupant: uid=xx,ou=Misc,o=Organization roleOccupant: uid=yy,ou=Misc,o=Organization roleOccupant: uid=zz,ou=Misc,o=Organization
Now I want assign read access to the complete LDAP tree for all occupants of a organizationalRole.
something like access to dn.subtree="o=organization by group/organizationalRole/roleOccupant.expand="^cn=[^,]+,ou=[^,]+,o=organization$" read you may check with slapd in debugging mode -d acl and read man slapd.access(5) for more examples.
Another experimental approach would be sets and uri expansion. something like this untested example
access to dn.subtree="o=organization" by set.expand="[ldap:///o=organization??sub?objectclass=organizationalRole]/roleOccupant" read
-Dieter