Hi All,
I'm pretty sure that this isn't possible, but wanted to check as my head hurts now.
I have dynamic lists using slapo-dynlist with the Organization attribute of 'o' and I am trying to keep my DIT as flat as possible.
I want to create an ACL that is "by group", which is fine. But....I don't want to hardcode a group.
I want to "capture" o via a regex and use that in the "by group" like so:
access to dn.subtree="ou=Users,dc=suretec,dc=co,dc=uk" attrs=o val.regex="(.+)" attrs=children,entry by group.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk" read by self write
or something like the following using a previous capture:
access to filter=(&(objectClass=inetOrgPerson)(o=$1)) by group/groupOfURLs/memberURL.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk" read by self write by * none
Issue is you can't pass captures between "access by" statements and my ACLs are flawed based on what you're searching for, which would be perfect. The goal being users in the same group can only see users on ou=Users of that group, with out hard coding group name in the conf.
I guess I'll have to create branches to split up users. Then again, I'm adding a group to ou=Groups, why shouldn't I at the same time add a new ACL via cn=config?
Cheers.
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk
Did you see our API? http://www.surevoip.co.uk/api
Hi All,
I'm pretty sure that this isn't possible, but wanted to check as my head hurts now.
I guess I'll need to re-work my DIT then to make this design sane.
Thanks.
I have dynamic lists using slapo-dynlist with the Organization attribute of 'o' and I am trying to keep my DIT as flat as possible.
I want to create an ACL that is "by group", which is fine. But....I don't want to hardcode a group.
I want to "capture" o via a regex and use that in the "by group" like so:
access to dn.subtree="ou=Users,dc=suretec,dc=co,dc=uk" attrs=o val.regex="(.+)" attrs=children,entry by group.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk" read by self write
or something like the following using a previous capture:
access to filter=(&(objectClass=inetOrgPerson)(o=$1)) by group/groupOfURLs/memberURL.expand="cn=$1,ou=Groups,dc=suretec,dc=co,dc=uk" read by self write by * none
Issue is you can't pass captures between "access by" statements and my ACLs are flawed based on what you're searching for, which would be perfect. The goal being users in the same group can only see users on ou=Users of that group, with out hard coding group name in the conf.
I guess I'll have to create branches to split up users. Then again, I'm adding a group to ou=Groups, why shouldn't I at the same time add a new ACL via cn=config?
Cheers.
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk
Did you see our API? http://www.surevoip.co.uk/api
openldap-technical@openldap.org
-
Gavin Henry