uri_gr1@tut.by writes:
I have openldap-2.4.8 up and running. I have ou=People subtree with posixAccounts and I need to grant access to, let's say, ou=Clients,ou=AddressBook by all rdn's in ou=People, having gidNumber=10008.
I'm not quite sure what you mean with "by all rdn's". Something like, user uid=uri_gr1,ou=People,dc=tut,dc=by should have acces to uid=uri_gr1,ou=Clients,ou=AddressBook,dc=tut,dc=by if the user entry contains attribute gidNumber: 10008?
And what access? To update the entry? Untested:
access to dn.regex="^(uid=[^,]*),ou=Clients,ou=AddressBook,dc=tut,dc=by$" by dn.exact,expand="$1,ou=People,ou=AddressBook,dc=tut,dc=by" set.exact="self/gidNumber & 10008" write
Note however that if users have write access to their own gidNumber attribute, they can insert themselves in the group and give themselves access. Or if you instead want members listed in that group rather than with that gidNumber as their primary group:
access to dn.regex="^uid=([^,]*),ou=Clients,ou=AddressBook,dc=tut,dc=by$" by dn.exact,expand="uid=$1,ou=People,ou=AddressBook,dc=tut,dc=by" set.expand="[cn=group10008,ou=filegroups,dc=tut,dc=by]/memberUid & $1" write
If they should also be able to add/delete this entry, they need write access to attrs=children of the ou=Clients entry:
access to dn.exact=ou=Clients,ou=AddressBook,dc=tut,dc=by attrs=children by... well, maybe dn.children="Clients,ou=AddressBook,dc=tut,dc=by" write
Another note: Computer accounts are not people. You may be making problems for yourself if you are mixing the two up in one subtree, and then e.g. use that as both an address book (where one expects one entry per person) and for account info. If one person has two accounts, you have to make him two "people" in the ou=people subtree. If you want unpersonal accounts, they will appear as people too to clients that do not take care to weed out entries with objectClass=person.