On 04.06.2009 14:24, Tyler Gates wrote:
Tyler Gates wrote:
Hello, I'm having a hard time setting some ACL's for my particular setup. I have a structure as follows: dn: uid=*,ou=people,dc=example,dc=com # uid contains several unix/linux user ids dn: cn=*,ou=groups,dc=example,dc=com # cn contains several unix/linux groups. uid's (not the complete dn) are supplied to the memberUid fields
What I would like to do is place an organizationalRole in each group and have ACL's setup so that it's uniqueMembers have access to certain attrs (say for example sn) for the uid's (which correspond to those in ou=people) specified in the memberUid fields of the group in which the organizationalRole is placed.
psuedo code would be something as follows:
access to group/posixAccount/memberUid.regex("cn=(.*),ou=groups,dc=example,dc=com") attrs sn by group/organizationalRole/uniqueMembers/.regex("cn=admin,cn=$1,ou=groups,dc=example,dc=com") write
Thanks, Tyler
Hi,
you can use sets for this:
access to dn.regex="^(cn=[^,]+,ou=groups,dc=example,dc=com)$" attrs="sn" by set.expand="[cn=admin,$1]/memberUid& user/uid" write
Regards, Christian
Hi Christian, I think I get the set's but that ACL doesn't work, and I'm not sure if regex's or set's will even do the job. A conditional statement if possible may be the only way. Again I'm looking for members of an organizational role (cn=admin,cn=groupname,ou=group,dc=example,dc=com) placed in a group (cn=groupname,ou=group,dc=example,dc=com) to be able to access ONLY the people listed in that group (group/OrganizationalRole/memberUid((cn=groupname,ou=group,dc=example,dc=com)) and nobody else. The people listed in that group are the memberUid and should match up to the complete dn as defined in uid=<memberUid>,ou=people,dc=example,dc=com.
Hi,
You can use ACL sets to do this, as follows. I have adapted the example to use organizationalRole's roleOccupant attribute, instead of memberUid.
access to dn.children="ou=people,dc=my-domain,dc=com" attrs=sn,entry by set="((([ldap:///ou=group,dc=my-domain,dc=com??sub?(&(objectclass=organizationalRole)(cn=admin)(roleOccupant=] + user/entryDN + [))])/entryDN)/-1)/memberUid & this/uid" read
Quick description: 1) Find all entries under "ou=group,dc=my-domain,dc=com" that match the filter "(&(objectclass=organizationalRole)(cn=admin)(roleOccupant=<current user's DN>", and get their DN ("/entryDN") - this is all the admin groups the current user is a member of. 2) For each of them, go up one level ("/-1"), thus getting the group that they are an admin of. 3) Get the memberUid attributes of this group ("/memberUid") 4) Match them with the uid of the object we're trying to read.
See http://www.openldap.org/faq/data/cache/1133.html for more info on sets syntax.
Of course, for this to work, you must allow auth access to the admin user accounts, and search access to objects in ou=People.
Regards, Jonathan