Re: "to" rules

23 Apr 2008


      В сообщении от Monday 21 April 2008 17:30:08 вы написали:
...
Note, you replied just to me - might have gotten a quicker reply from
someone else if you replied to the list.  Anyway...
uri_gr1@tut.by writes:
...
From: uri_gr1@tut.by
...
...
I have openldap-2.4.8 up and running. I have ou=People subtree with
posixAccounts and I need to grant access to, let's say,
ou=Clients,ou=AddressBook by all rdn's in ou=People, having
gidNumber=10008.
I'm not quite sure what you mean with "by all rdn's".  (...)
user uid=uri_gr1,ou=People,dc=tut,dc=by should have write access to
ou=Clients,ou=AddressBook,dc=tut,dc=by subtree if the user entry contains
attribute gidNumber: 10008
Still untested -
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
       by dn.onelevel=ou=People,dc=tut,dc=by
          set.exact="self/gidNumber & 10008"
          write
       and maybe by * read or whatever for everyone else
I tested ACLs below:
# ACL for clients addressbook
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.onelevel=ou=People,dc=tut,dc=by
      set.exact="self/gidNumber & 10003"
      write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.onelevel=ou=People,dc=tut,dc=by
      set.exact="self/gidNumber & 10007"
      write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.onelevel=ou=People,dc=tut,dc=by
      set.exact="self/gidNumber & 10008"
      write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by
    by * none
#
But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is 
restricted to all. Is it posible to write some acls like:
...
by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
As I know it accepted for "to ..." rules, but wthat about "by ..."?
I tried it earlier, but maybe it failed beacuse of wrong syntax?

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: "to" rules