Fabrice Eudes wrote: > Pierangelo Masarati a écrit : >> if access depends on values in the "who", use sets; in your case, >> something like >> >> access to dn="cn=foo,ou=groups,dc=example,dc=com" >> attrs=cn,description,memberUid,entry by >> >> set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN >> & user" write > wow ! no chance I could find that on my own, especially because the > slapd.access manpage says « The statement set=<pattern> is undocumented > yet. » :-)
The only documentation is in <http://www.openldap.org/faq/data/cache/1133.html>. >> should work (note: indentation has probably been destroyed by my >> mailer). > no, it doesn't work :-( > precisely, in slapd.conf, I've added: > >> access to dn.children="ou=groupes,dc=domain" >> attrs=cn,description,memberUid,entry >> by dn="cn=adminLDAP,dc=domain" write >> by >> set="[ldap:///ou=personnes,dc=domain?1.1?sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN >> & user" write by users read > iremLillePerson = inetOrgPerson + groupesTravail(multi-valued) > 1200 = value of the attribute for which I want to give write access. > > when I give an explicit: > by dn="cn=name,ou=personnes,dc=domain" > instead of the set clause, it works. My fault (and a bug in the code): remove the "1.1", leaving the "attrs" field of the URI empty. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] ---------------------------------------
