Gary Mann wrote:
a question: we have a requirement where only users that have a role are able to see role membership. so if i have role A, i can see the membership for role A (search on nsRole=<roleA>) but cannot necessarily see role B members, etc. the same restriction applies when pulling the nsRole attribute.is there any way (via aci) to support this? i've implemented a plugin (actually 2 - a computed attribute and preop) that supports this but wanted to make sure that i wasn't missing something in aci setup that would accomplish the same thing.
Perhaps by using a targetfilter? e.g. assuming the role definition entry is cn=MyRole,ou=people,dc=example,dc=com
dn: ou=people,dc=example,dc=com ...aci: (targetattr="uid || cn")(targetfilter="(nsRole=cn=MyRole,ou=people,dc=example,dc=com)")(version 3.0; acl "Allow people to see other role members"; allow (read, search, compare) roledn = "ldap:///cn=MyRole,ou=people,dc=example,dc=com";;)
This allows people who are a member of MyRole to see the attributes uid and cn in any entry under ou=people which matches nsRole=cn=myRole,.... (i.e. any entry which belongs to that role).
I haven't tried it out but this or something like this should work.See here for more info http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#997355
Thanks, Gary -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
