-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 greetings,
I'm trying to configure ACL, I belive it is possible to ... but after some attempts I doubt it is ... please, help me to understand where I'm making the mistake/s ... I need to manage possibility for "coadmins" group members to manage all except the objects of "admins" group members forgive me please my long explanation ... so I have: Important: the starting point in my case is auth accounts structure: users do auth with (lets call it) "root" objects (most upper level): uid=<USER>,ou=People,dc=abc - ---[ accounts and groups start ]------------------------------------------- dn: uid=admin1,ou=People,dc=abc dn: uid=admin7,ou=People,dc=abc dn: uid=bil,authorizedService=serviceD,uid=admin7,ou=People,dc=abc dn: uid=coadmin5,ou=People,dc=abc dn: uid=johndoe,authorizedService=serviceA,uid=coadmin5,ou=People,dc=abc dn: uid=coadmin6,ou=People,dc=abc dn: cn=admins,dc=abc memberUid: admin1 - ---[ accounts and groups end ]------------------------------------------- group objects memberUid attribute value contains uid of the "root" objects - ---[ group structure start ]------------------------------------------- dn: cn=coadmins,ou=group,dc=abc memberUid: coadmin5 memberUid: coadmin6 - ---[ group structure end ]------------------------------------------- here is the ACL I managed to work as I want: - ---[ quotation start ]------------------------------------------- access to dn.subtree="dc=abc" attrs=userPassword by set="[cn=admin,ou=group,dc=abc]/memberUid & user/uid" manage by set.exact="this/-2 & user" write by self write by anonymous auth by * break - ---[ quotation end ]------------------------------------------- this allows admins to manage passwords of anybody and for all other users manage passwords of self "root" account and service accounts (look structure of account objects above) and now, I had a hope to do the same to get possibility for coadmins to manage passwords of anybody except admins, and here what I thought about: - ---[ quotation start ]------------------------------------------- access to dn.subtree="dc=abc" attrs=userPassword by set="[cn=admin,ou=group,dc=abc]/memberUid & user/uid" manage by set="(([cn=admin,ou=group,dc=abc]/memberUid & this/uid) | ([cn=admin,ou=group,dc=abc]/memberUid & [this/-2]/uid)) & ([cn=coadmin,ou=group,dc=abc]/memberUid & user/uid)" disclose by set="[cn=coadmin,ou=group,dc=abc]/memberUid & user/uid" manage by set.exact="this/-2 & user" write by self write by anonymous auth by * break - ---[ quotation end ]------------------------------------------- and it doesn't work the initial idea of the second `by set=' row is: for coadmins to disallow all access to userPassword if account belongs to admin am I right to expect: 1.1. "[cn=admin,ou=group,dc=abc]/memberUid & this/uid" is true if uid of current record is member of the group `admin' when `this' is the very "root" account (uid=admin7,ou=People,dc=abc) 1.2. "[cn=admin,ou=group,dc=abc]/memberUid & [this/-2]/uid" uid of the "root" account (uid=admin7,ou=People,dc=abc) is admin group member when `this' is service account like: uid=bil,authorizedService=serviceD,uid=admin7,ou=People,dc=abc `this/-2' trimms it to `uid=admin7,ou=People,dc=abc' and `/uid' have to provide uid value 1.3. "[cn=coadmin,ou=group,dc=abc]/memberUid & user/uid" true if currently loggedin user uid is coadmin group member so ... was I successfull to explain what I want? :) - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlhFk1kACgkQr3jpPg/3oyp7XgCggcp9Y909JRQOknE7GkgjmZpw /sYAoIyimb3gcy38qZAjlyHfbF+rH63a =aqts -----END PGP SIGNATURE-----