"Dieter Kluenter" <[email protected]> writes: > Frederik Bosch <[email protected]> writes: > >> Unfortunately. I can't get it working. Thanks again though! I am >> still not able to read, only auth/bind. >> Suppose I have the following setup. >> >> dn= cn=Role Example 1,o=Organization >> objectClass: organizationalRole >> cn: Role Example >> roleOccupant: [email protected],ou=Partners,o=Organization >> roleOccupant: [email protected],ou=Partners,o=Organization >> roleOccupant: [email protected],ou=Partners,o=Organization >> >> dn= cn=Role Example 2,o=Organization >> objectClass: organizationalRole >> cn: Role Example 2 >> roleOccupant: [email protected],ou=Other,o=Organization >> roleOccupant: [email protected],ou=Other,o=Organization >> roleOccupant: [email protected],ou=Other,o=Organization >> >> dn= cn=Role Example N,o=Organization >> objectClass: organizationalRole >> cn: Role Example N >> roleOccupant: uid=xx,ou=Misc,o=Organization >> roleOccupant: uid=yy,ou=Misc,o=Organization >> roleOccupant: uid=zz,ou=Misc,o=Organization >> >> Now I want assign read access to the complete LDAP tree for all >> occupants of a organizationalRole. > > something like > access to dn.subtree="o=organization > by > > group/organizationalRole/roleOccupant.expand="^cn=[^,]+,ou=[^,]+,o=organization$" > read > you may check with slapd in debugging mode -d acl > and read man slapd.access(5) for more examples.
Another experimental approach would be sets and uri expansion. something like this untested example access to dn.subtree="o=organization" by set.expand="[ldap:///o=organization??sub?objectclass=organizationalRole]/roleOccupant"; read -Dieter -- Dieter Klünter | Systemberatung sip: [email protected] http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
