Am Wed, 21 Aug 2019 10:50:19 +0200 schrieb Ondřej Kuzník <on...@mistotebe.net>:
> On Tue, Aug 20, 2019 at 10:22:56PM +0200, Martin W. wrote: > > Dear OpenLDAP technical list, > > > > I‘ve been running into a little problem with my permission > > structures – and was wondering if you could help me with it. > > > > I want the members of a group to administer a tree structure, the > > group is member of it. I've tried some acl settings – I'll post my > > trials below the basic structure. > > > > I've tried some different things ... and none Regex was successful > > :( Since I'll post some fragments, I put every LDIF fragment within > > such a bash fragment: > > > >> olcAccess: to * > >> by self write > >> by dn="cn=admin,dc=example,dc=com" write > >> by > >> set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" > >> write by users read by * none > > > > trial 1 > > > >> olcAccess: to > >> dn.regex="([^,]+,)?o=([^,]+),ou=entities,dc=example,dc=com" by > >> self write by dn="cn=admin,dc=example,dc=com" write > >> by > >> set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" > >> write by > >> set.expand="[cn=admin,o=$2,ou=entities,dc=example,dc=com]/member* > >> & user" write by set="this/member* & user" read by * none > > > > The result is, that admin and any member of ldapadminscan edit, the > > members of specific entity admin subgroups cannot edit. > > The specific admin subgroups cannot even see the entities subtree. > > Hi Martin, > what is the order of the above two olcAccess statements? If they apply > in the order above, it seems the first one will always apply and > processing will stop there. In that case you either want to add a > "break" in the first one or split/move it to be checked later. > > I assume you also know and use the slapacl tool (and loglevel acl) to > test with? Does it show any additional information that might be > helpful in diagnosing the issue? With regard to 'set' here is some basic information. http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1134.html -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E