В сообщении от Wednesday 23 April 2008 15:14:08 Hallvard B Furuseth написал(а):
uri_gr1@tut.by writes:
I tested ACLs below: (...) But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is restricted to all.
Sorry, I forgot to quote the gidNumber values. Literal values in sets are quoted with [].
Also you asked for another access than you actually wanted. Read man slapd.access: Only the first "to" clause which matches what you want to access, is used. Your first "access" clause hid all the others, since they had the same "to". Similarly, in the chosen "to" clause, only the first "by" clause which matches who is accessing, is used.
There are keywords to avoid these rules ("break", "continue", "stop"), but you don't need them for this.
So, let me try again (still untested, hope I'm getting it right this time) -
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & ([10003] | [10007] | [10008])" write by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write by * none
nope, it's also not works.
BTW, do you really Bind as e.g. "cn=seller,ou=Groups,dc=tut,dc=by", or is that the name of a group like it looks like?
I Bind as "cn=Test User,ou=People,dc=tut,dc=by". This has attribute gidNumber=10008. "cn=seller,ou=Groups,dc=tut,dc=by" - group with gidNumber=10008, but "cn=seller,ou=Groups,dc=tut,dc=by" hasn't "cn=Test User,ou=People,dc=tut,dc=by" on "member" attribute.
Is it posible to write some acls like: by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
Not directly, but that's in practice what the "set" ACLs emulate: by set.exact="self/objectClass & [posixAccount]" set.exact="self/gidNumber & [10008]" (with multiple rules in a "to" and "by" clause there is an implicit "and" between them.)
Sets are still marked "experimental" though. And they are less efficient than rules that have logic better built in. They are described here in the FAQ: http://www.openldap.org/faq/data/cache/1133.html