Thank you, Andrew, for that clear example and explanation. I have successfully implemented this now.
Regards Philip On 30 January 2013 08:00, Andrew Findlay <[email protected]>wrote: > On Thu, Jan 24, 2013 at 12:22:18PM +0000, Philip Colmer wrote: > > > What I want/need to be able to do is for LDAP to read the DN of the > group that > > has permission, in the same what that it does with dnattr. I thought > that I had > > read something about this being possible with sets, but slapd.access > says that > > "The statement set=<pattern> is undocumented yet." so I'm not clear if > that is > > the most appropriate way to proceed. > > > > > > Can someone please advise on how this might be accomplished? > > Sets are indeed the answer. The documentation only exists in > the OpenLDAP FAQ-o-matic at present, but you need something > like this: > > access to dn.sub="ou=groups,dc=example,dc=com" > by set="this/manager/member & user" write > by users read > by * none > > That ACL would give write access to members of any group whose > DN is listed in the "manager" attribute. > > The basic idea is that "this/manager/member" produces a set of DNs, > "user" produces a set containing the DN of the bound user, > and "&" generates the intersection of the two sets. > If the result is a non-empty set then the "by" clause applies. > > Andrew > -- > ----------------------------------------------------------------------- > | From Andrew Findlay, Skills 1st Ltd | > | Consultant in large-scale systems, networks, and directory services | > | http://www.skills-1st.co.uk/ +44 1628 782565 | > ----------------------------------------------------------------------- >
