Tim Watts wrote:
Sorry - this is probably very basic, but I cannot get my head around how to write an ACL that prevents "auth" unless the user's employeeType attribute is in a particular list (or NOT in a shorter list).
I have a slapd config line:
constraint_attribute employeeType regex ^(Staff|External|MA|PhD|Intern|System|Archive|Delete)$
However, I'd like to limit the ability to bind (auth) to those users whose employeeType is NOT [regex ^(Archive|Delete)$]
# some entries matching filter access to attrs=userPassword filter=(!(employeeType=Archive)(employeeType=Delete)) by ..some who clauses for setting password by * auth
# all other entries access to attrs=userPassword by * none
The second ACL is important!
Current ACLs are fairly simple:
access to dn.base="" by * read
access to attrs=userPassword by peername.path="/var/run/slapd/ldapi" manage
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This is somewhat dangerous because it gives any process which has write access to the LDAPI socket *manage* rights. I'd recommend not to do that. Rather use authz-regexp mappings to explicitly map certain OS accounts to real LDAP entries.
by set="user/uid &[cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" manage
Set-ACLs are slow. I'd recommend to use groupOfNames entries to achieve this.
Ciao, Michael.