Hi Philip,
thanks for the reply,
On Thu, May 10, 2018 at 09:12:18AM -0700, Philip Guenther wrote:
On Thu, 10 May 2018, Ervin Hegedüs wrote:
On Wed, May 09, 2018 at 01:00:05PM +0200, Ervin Hegedüs wrote:
Is there any way to set up one or more ACL's, where admin1 user can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and can start to search from there, but he will see the entries only from ou=orgunit1 and ou=orgunit2?
if there isn't any solution with ACL, can I make it some other way? I mean, back_meta, rewrite, or other overlay solutions...?
An LDAP filter can test the components of an entry's DN with a clause such as: (|(ou:dn:=orgunit1)(ou:dn:=orgunit2))
Note the ":dn" syntax there.
thanks - it doesn't work.
ldapsearch -H ldaps://ldap:636 -b "dc=sub-company21,dc=company,dc=hu" -D "cn=admin,dc=hu" -W "(ou:dn:=orgunit1)"
works, and the result reduced only for the OU=orgunit1,dc=sub-....
so, the syntax (and idea :)) is right.
ldapsearch -H ldaps://ldap:636 -b "ou=orgunit1,dc=sub-company21,dc=company2,dc=hu" -D "uid=adminuser1,ou=Users,ou=_srv,dc=sub-company21,dc=company2,dc=hu" -W "(ou:dn:=orgunit1)"
also works, but the baseDN starts with "ou=orgunit1", which is sets up exactly in ACL.
finally,
ldapsearch -H ldaps://ldap:636 -b "dc=sub-company21,dc=company2,dc=hu" -D "uid=adminuser1,ou=Users,ou=_srv,dc=sub-company21,dc=company2,dc=hu" -W "(ou:dn:=orgunit1)"
where the baseDN is the parent of allowed OU's, and filter contains the allowed OU('s), then it doesn't work.
Note, that if it should worked, I'm not sure that this could be usable, because in most LDAP GUI, the connection settings doesn't contains any filter option, only the baseDN, what you can set up.
Perhaps an ACL using an LDAP filter containing something like that would be part of a solution.
could you show me any example?
Thanks for your help,
a.