Jaap Winius wrote:
Quoting Dieter Kluenter<[email protected]>:
this rule should do the trick:
access to dn.regex="cn=([^,]+),ou=whatsoever$"
attrs=telephoneNumber
by set="user/title& [telephoneManager]" write
Yes!!!
This is what I'm using now:
access to attrs=telephoneNumber
by set="user/title& [telephonemanager]" write
by users read
This works for a user with attr title=telephonemanager. However, to
demonstrate the flexibility of this set rule...
access to attrs=telephoneNumber
by set="user/description& [telephonemanager]" write
by users read
... this works for a user with attr description=telephonemanager!
This is cool regardless, but I think my NIU-friend would say that it's
cool because this set rule allows you to give users telephonemanager
privileges without the need to maintain a telephonemanager group.
Actually, I think this solution can be improved upon significantly.
For example, what if our privileged user had this attribute:
description: titlemanager telephonemanager addressmanager
Can a a set rule be devised to match not only users with a description
value that equals "telephonemanager", but also one that includes it in
a longer string? We would need something like:
access to attrs=telephoneNumber
by set="user/description& [*telephonemanager*]" write
by users read
Only, that doesn't work.
Is this possible?
It is unnecessary. The description attribute is multivalued, just use it
correctly.
description: titlemanager
description: telephonemanager
description: addressmanager
I'll also note that using a set for this purpose is still inferior to using a
dynamic group, in terms of performance. Dynamic group evaluations are cached,
sets are not.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
