Dave Holland <[EMAIL PROTECTED]> writes: > [Apologies if this arrives twice; I sent it yesterday but I didn't get a > copy back from the list, nor is there a copy at www.mail-archive.com.] > > I have a slightly unusual access control requirement which I'd > appreciate some advice on. > > In our directory there are bunch of per-project subtrees: > ou=project1,ou=projects,... > ou=project2,ou=projects,... > > I've been controlling write access to the subtrees like this: > > access to dn.regex="ou=([^,]+),ou=projects,..." > by group.expand="cn=administrators,ou=$1,ou=projects,..." write > by * read > > where cn=administrators is a groupOfNames. This works well. > > Now I've been asked to implement the following additional behaviour: > > If a cn=readers groupOfNames entry is present, allow read-only access to > those DNs, allow write access to DNs in cn=administrators, and disallow > access to everyone else. But if there is NO cn=readers entry, allow read > access to anyone. > > The first part is a simple extension of what I've already got. But how > can I implement the different behaviour with no cn=readers entry? > > I'm using OpenLDAP 2.2 with the bdb backend. I'm happy to upgrade to > 2.3 if necessary.
You don't have to update. I think 'sets' will ideally meet your tasks. http://www.openldap.org/faq/data/cache/1133.html -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6
