On 27/3/2012 4:43 μμ, Hallvard B Furuseth wrote:
Nick Milas wrote:
> Let me re-phrase: Can we express the following three statements using
> ONE ACL statement? I haven't been able to find a solution.
>
> access to dn.subtree="ou=people,dc=example,dc=com"
> filter="(ou=dept1)" attrs="attr1,attr2"
> by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com"
> write
> [...same with other depts...]
>
This should work with normal OU names, but I'd feel nervous using it
since OU names involving '] ... [' would give an "ACL injection
attack":
access to dn.subtree="ou=people,dc=example,dc=com"
attrs="attr1,attr2" filter="(ou=dept*)"
by set.exact="user & ([cn=] + this/ou +
[Admins,ou=Groups,dc=example,dc=com])/member" write
Hi Hallvard,
Examining your suggestion above, I think it will not work, because it
gives write access to ou=dept* (that is, to *all* ou dept values) by
*any* *Admins group, whereas we want xxxAdmins to only have write access
to filter="(ou=deptxxx)" only.
So, in this case, only your second suggestion would work:
access to dn.subtree="ou=people,dc=example,dc=com"
attrs="attr1,attr2" filter="(owner=*)"
by set.exact="user & this/owner/member" write
... which requires us to define an owner attribute per entry.
Am I right?
The problem is that we cannot specify in an ACL any "expandable"
wildcard (as is possible in the main <what> clause). Would such
functionality be planned for the future?
Thanks and regards,
Nick